Bug#975331: release-notes: Installation guide: No instructions for verifying image integrity after download
Control: retitle -1 Installation guide: No instructions for verifying image integrity after download
Control: tags -1 + patch
xloem <0xloem@gmail.com> wrote:
> Package: release-notes
> Severity: important
> X-Debbugs-Cc: 0xloem@gmail.com
>
> Dear Maintainer,
>
> I'm pursuing installing Debian using the netboot concatenatable SD card images
> in debian/dists/bullseye/main/installer-arm64/current/images/ , and I found it
> seems very hard to verify their signatures.
>
> I checked on irc in #debian and was referred to the documentation, but we
> discovered that instructions for this are missing from
> https://www.debian.org/releases/stable/arm64/ch04s02.en.html .
>
> I was referred to the internals of a source package to find tools to accomplish
> this very basic task.
>
> It is important to provide a reasonable way to verify the integrity of
> installation media.
I have prepared a patch, to add a small chapter on this topic to the guide
(and correct a misleading phrase in chapter 4.2).
Patch attached.
Holger
--
Holger Wansing <hwansing@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508 3529 59F1 87CA 156E B076
>From 324f1597f64ad1badc2c468f964ec06ec7e38740 Mon Sep 17 00:00:00 2001
From: Holger Wansing <hwansing@mailbox.org>
Date: Fri, 20 Nov 2020 21:24:23 +0100
Subject: [PATCH] Add chapter about verifying integrity of installation files
---
build/templates/docstruct.ent | 1 +
en/install-methods/downloading-files.xml | 4 +-
en/install-methods/install-methods.xml | 1 +
en/install-methods/verifying-files.xml | 70 ++++++++++++++++++++++++
4 files changed, 74 insertions(+), 2 deletions(-)
create mode 100644 en/install-methods/verifying-files.xml
diff --git a/build/templates/docstruct.ent b/build/templates/docstruct.ent
index 112c7881b..dd3e8d273 100644
--- a/build/templates/docstruct.ent
+++ b/build/templates/docstruct.ent
@@ -71,6 +71,7 @@
<!ENTITY tftp-bootp.xml SYSTEM "##SRCPATH##/install-methods/tftp/bootp.xml">
<!ENTITY tftp-dhcp.xml SYSTEM "##SRCPATH##/install-methods//tftp/dhcp.xml">
<!ENTITY automatic-install.xml SYSTEM "##SRCPATH##/install-methods/automatic-install.xml">
+ <!ENTITY verifying-files.xml SYSTEM "##SRCPATH##/install-methods/verifying-files.xml">
<!ENTITY boot-installer.xml SYSTEM "##SRCPATH##/boot-installer/boot-installer.xml">
diff --git a/en/install-methods/downloading-files.xml b/en/install-methods/downloading-files.xml
index ad67f8f16..5ecd45eca 100644
--- a/en/install-methods/downloading-files.xml
+++ b/en/install-methods/downloading-files.xml
@@ -12,10 +12,10 @@ To find the nearest (and thus probably the fastest) mirror, see the
</para>
<sect2 id="where-files">
- <title>Where to Find Installation Images</title>
+ <title>Where to Find Installation Files</title>
<para>
-The installation images are located on each &debian; mirror in the directory
+Various installation files can be found on each &debian; mirror in the directory
<ulink url="&url-debian-installer;images">debian/dists/&releasename;/main/installer-&architecture;/current/images/</ulink>
— the <ulink url="&url-debian-installer;images/MANIFEST">MANIFEST</ulink>
lists each image and its purpose.
diff --git a/en/install-methods/install-methods.xml b/en/install-methods/install-methods.xml
index 5b4710eac..e387fcb3e 100644
--- a/en/install-methods/install-methods.xml
+++ b/en/install-methods/install-methods.xml
@@ -10,5 +10,6 @@
&boot-drive-files.xml;
&install-tftp.xml;
&automatic-install.xml;
+&verifying-files.xml;
</chapter>
diff --git a/en/install-methods/verifying-files.xml b/en/install-methods/verifying-files.xml
new file mode 100644
index 000000000..29ff01e4d
--- /dev/null
+++ b/en/install-methods/verifying-files.xml
@@ -0,0 +1,70 @@
+<!-- retain these comments for translator revision tracking -->
+<!-- $Id$ -->
+
+ <sect1 id="verifying-files">
+ <title>Verifying the integrity of installation files</title>
+
+<para>
+
+You can verify the integrity of downloaded files against checksums
+provided in <filename>SHA256SUMS</filename> or <filename>SHA512SUMS</filename>
+files on Debian mirrors.
+Look at the following locations, to find those checksum files:
+
+</para>
+
+<itemizedlist>
+<listitem><para>
+
+<ulink url="https://cdimage.debian.org/debian-cd/current/&architecture;/iso-cd/";>checksum
+files for CD images</ulink>,
+
+</para></listitem>
+<listitem><para>
+
+<ulink url="https://cdimage.debian.org/debian-cd/current/&architecture;/iso-dvd/";>checksum
+files for DVD images</ulink>,
+
+</para></listitem>
+<listitem><para>
+
+<ulink url="https://cdimage.debian.org/debian-cd/current/&architecture;/iso-bd/";>checksum
+files for BD images</ulink>,
+
+</para></listitem>
+<listitem><para>
+
+<ulink url="http://http.us.debian.org/debian/dists/&releasename;/main/installer-&architecture;/current/images/";>checksum
+files for other installation files</ulink>.
+
+</para></listitem>
+</itemizedlist>
+
+<para>
+
+To compute the checksum of a downloaded installation file, use
+
+<informalexample><screen>
+sha256sum filename.iso
+</screen></informalexample>
+
+respective
+
+<informalexample><screen>
+sha512sum filename.iso
+</screen></informalexample>
+
+and then compare the shown checksum against the corresponding one in the
+<filename>SHA256SUMS</filename> or <filename>SHA512SUMS</filename> file.
+
+</para><para>
+
+The <ulink url="&url-debian-cd-faq;">Debian CD FAQ</ulink> has
+<ulink url="https://www.debian.org/CD/faq/index.en.html#verify";>more useful information</ulink>
+on this topic (such as the script <filename>check_debian_iso</filename>, to semi-automate
+above procedure).
+
+
+</para>
+
+ </sect1>
--
2.20.1
Reply to: