[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dont understand how to verify ISO

On Sat, Dec 24, 2016 at 10:10:27AM +0100, def87@gmx.de wrote:
> I have difficulties with the explanation on how to verify your downloaded
> debian ISO.

This is really more of a question for the CD team rather than
keyring-maint; I've tried my best to answer below, but have also copied
debian-cd so they can comment (or perhaps just update the

> On this page https://keyring.debian.org/ it says "Once you know the
> key's ID ..."
> Well, how do I find out that key for my ISO? A little bit more
> information would be helpful :/ I have downloaded
> debian-8.6.0-amd64-CD-1.iso
> On this page https://www.debian.org/CD/verify there are 3 fingerprints
> at the bottom. I do not know what a fingerprint is but apparently it's
> not what I'm looking for (but then again why would they provide these
> instead of a key). So where do I find the key that I need?

On Sat, Dec 24, 2016 at 04:49:28PM +0100, def87@gmx.de wrote:
> to make myself more clear about what I meant this morning:
> I want to use the command
> gpg --keyserver x --recv-key y
> I know what the x must be: keyring.debian.org
> But what do I need to replace the y for?
> On this page
> http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/
> I clicked on the "verification guide"
> but it's not really a "guide" since it doesn't really explain what I need
> to do :/
> There are just 3 fingerprints which seems unrelated to the command above.
> My ISO is debian-8.6.0-amd64-CD-1.iso

So the CDs themselves are not signed; what is signed are the hashes of
the images. These are the *SUMS files, with the signatures being in
*SUMS.signed. So, for example, you might chose to verify the SHA256 sum
of the image you have downloaded.

$ wget -q http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/SHA256SUMS
$ wget -q http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/SHA256SUMS.sign

And then verify that file:

$ gpg SHA256SUMS.sign
gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Sun 18 Sep 2016 17:23:45 BST
gpg:                using RSA key 0xDA87E80D6294BE9B
gpg: Can't check signature: No public key

Which helpfully tells you which key was used to sign that file; the 2nd
one listed on the verification page.

$ gpg --keyserver keyring.debian.org --recv-key 0xDA87E80D6294BE9B
gpg: key 0xDA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported

$ gpg SHA256SUMS.sign
gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Sun 18 Sep 2016 17:23:45 BST
gpg:                using RSA key 0xDA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [undefined]

So we know that file is good. We then look for the SHA256 for the file
you've downloaded:

$ grep debian-8.6.0-amd64-CD-1.iso SHA256SUMS
e9cb144e486409b2ea1454dceae8d46e0ebab88435cf0b6e7a18f3aa3a51c538 debian-8.6.0-amd64-CD-1.iso

And you should be able to use "sha256sum" against the file you've
downloaded to confirm that it matches this hash.


Web [ Most people are descended from apes. Redheads are descended  ]
site: http:// [                from cats.                ]       Made by
www.earth.li/~noodles/  [                      ]         HuggieTag 0.0.24

Reply to: