Re: Proposal to augment CD/faq/#verify, version 2
Mon, 09 Sep 2024 12:45:06 +0200 Thomas Schmitt wrote:
- The text points to the authenticity verification page
https://www.debian.org/CD/verify
which gives no tangible example how to verify *SUMS files by *SUMS.sign.
Quite a lot of experience is needed to convert the instructions to
actual program runs.
I do not mind that there is a page which purpose is solely to specify
key IDs and fingerprints since it is most sensitive info. What I do not
like are descriptions of links to this page:
- "verification guide"
<https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
- "Detailed information on how to authenticate the signed checksum
files containing the checksums of the ISO image files is available
on the authenticity verification page."
<https://www.debian.org/CD/faq/#verify>
In my opinion, links should be clearly described as the place where
public keys used to sign SUMS files are specified.
The checksum files SHA256SUMS and SHA512SUMS in the directories
with the ISO images can be verified by help of the PGP signature
files SHA256SUMS.sign and SHA512SUMS.sign by e.g.
$ gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D 6294BE9B 09EA8AC3
Despite I do not expect keys having collisions for 32 bit identifiers
uploaded to keyring.debian.org, I think, it is better to use 64 bit
identifiers here and to explicitly say that are taken from
<https://www.debian.org/CD/verify>
I am unsure if there are drawback of the following recipe. Debian users
may try:
sudo apt install debian-keyring
gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg \
SHA512SUMS.sign SHA512SUMS
However there is a little chance that a key might be revoked.
Nowadays SUMS files may be obtained using https: protocol from
cdimage.debian.org even if image file is downloaded from a local mirror.
It is secure enough. Perhaps additional confidence provided by gpg
should be briefly described.
Reply to: