fast option for CD image verification?
- To: firstname.lastname@example.org
- Subject: fast option for CD image verification?
- From: Marcel (Felix) Giannelia <email@example.com>
- Date: Sat, 21 Jun 2014 23:42:44 -0700
- Message-id: <firstname.lastname@example.org>
This has been said before, but it still annoys me. I've just downloaded
a Debian CD image and I want to verify its authenticity.
I now have to:
1. get gpg set up (since on most machines I never use it)
2. find the page that says where the Debian key server is (because I
don't remember it)
3. find the command for getting a key from the key server (because I
don't remember it) and get the key from the key server
4. go back to the "how to verify cd authenticity" page (which doesn't
actually explain how to do any of these steps) and find the list of key
5. convince gpg to trust the key from the key server
6. check the checksums file signature
7. check the checksum of the image file.
Now, this would be great if I knew someone personally who had a line
of trust back to the Debian CD image signing key. But as I do not know
such a person, my best (and most practical) method of getting *some*
measure of authentication here is to access a Debian-related page over
HTTPS and trust the web server certificate.
When using the above convoluted process, the only real security in any
of it rests entirely on step 4: the only page that actually uses SSL.
The key server doesn't, and the CD image server/mirror doesn't.
Given that that's the case, it would be *really* nice if the CD image
checksums were available from the "how to verify cd authenticity" page
directly. Then I would go there over HTTPS, copy & paste the checksums,
and I'd be done.
If that's somehow impractical, then can you at least put a copy of the
signing key *with* the CD images? That way I can download it while I'm
already there, and I can skip steps 2 and 3 -- and remember, since the
key server isn't using SSL and it's necessary to check the key's
fingerprint anyway, putting the key on potentially untrusted mirrors is
really no less secure.
PS: I came across a post from 2011, where someone suggests putting a
gpg step-by-step on the "how to verify" page:
This appears to have been met favourably; what happened?