Re: Missing GnuPG signatures for checksums

To: Laurențiu Păncescu <lpancescu@gmail.com>
Cc: debian-boot@lists.debian.org
Subject: Re: Missing GnuPG signatures for checksums
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 20 Apr 2020 18:42:46 +0200
Message-id: <[🔎] 20200420164246.GC25389@tomate.cristau.org>
In-reply-to: <[🔎] 65828163-810f-73ce-e851-5aee52793ec7@gmail.com>
References: <[🔎] 65828163-810f-73ce-e851-5aee52793ec7@gmail.com>

On Mon, Apr 20, 2020 at 06:38:48PM +0200, Laurențiu Păncescu wrote:
> Hello,
> 
> I'm trying to put a preseed file on the same USB stick as the installation,
> using hd-media/boot.img.gz is easier than remastering the iso. It works, but
> there seems not to be any signed checksum file for these images and they are
> served only over http:
> 
> http://http.us.debian.org/debian/dists/buster/main/installer-amd64/current/images/
> 
> How can I check if these images are authentic? I guess I could mount a
> signed CD iso like netinst, copy vmlinuz and initrd from there and create my
> own USB stick with syslinux - is there a better way?
> 
Hi,

http://http.us.debian.org/debian/dists/buster/InRelease is signed and contains
checksums for the d-i SHA256SUMS file.  (I realize that still makes
verification awkward.)

Cheers,
Julien

Reply to:

References:
- Missing GnuPG signatures for checksums
  - From: Laurențiu Păncescu <lpancescu@gmail.com>

Prev by Date: Missing GnuPG signatures for checksums
Next by Date: Re: Missing GnuPG signatures for checksums
Previous by thread: Missing GnuPG signatures for checksums
Next by thread: Re: Missing GnuPG signatures for checksums
Index(es):
- Date
- Thread