Re: Can we get a signature for armhf SD-card images?
Vagrant et al. -
On Tue, Jan 31, 2023 at 06:57:17PM -0800, Vagrant Cascadian wrote:
> Take a look at:
> The Release file is signed(either inline as InRelease or detatched as
> Release.gpg), and has checksums for the relevent SHA256SUMS files that
> you are looking for...
Cool! That's the hint I was looking for. I can now verify the files
for a fresh Bookworm install I'm about to attempt on an armhf SBC.
> > Am I blind?
> It is admittedly a bit indirect and non-obvious, [...]
I'm all too aware of how hard it it is to make good (complete,
comprehensible, discoverable) documentation.
I just tried a number of Internet searches e.g.,
"verify integrity of debian release files" and nothing pointed me to the
magic "Release" file. Lots of hints about getting to the SHA256SUMS files.
The install guide section
4.6. Verifying the integrity of installation files
seems key. It gives three main links: to CD and DVD (each goes to nice pages
on cdimage.debian.org that mention that the checksum files are signed),
and one to "other installation files" (on ftp.debian.org) that does not.
That would seem to say that
deserves a README about integrity-checking and the existence of a
digital signature for Release.