[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[LCFC] wml://CD/verify.html


Le 02/04/2011 19:21, Justin B Rye a écrit :

[ Lots of well-advised and interesting remarks, as always ]

Thanks a lot Justin. No one else had something to add so far, so I
reattach the file you just sent, in order to gather last remarks before
committing it (well, it will be on CVS, so we can always change or add
stuff afterwards).



P.-S.: I may continue bothering the L10n English list if that's OK with
you for further WML editing (I'm not confident enough in my en_FR for
what I plan to change in a near future).

#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true

<p>Official releases of Debian CDs come with signed checksum
files. These allow you to check that the images you download are
correct. First of all, the checksum can be used to check that the CDs
have not been corrupted during download. Secondly, the signatures on
the checksum files allow you to confirm that the files are the ones
officially released by the Debian CD / Debian Live team and have not
been tampered with.</p>

<p>To validate the contents of a CD image, just be sure to use the
appropriate checksum tool. For older archived CD releases, only MD5
checksums were generated in the <tt>MD5SUMS</tt> files; you should use
the tool <tt>md5sum</tt> to work with these. For newer releases,
newer and cryptographically stronger checksum algorithms
(SHA1, SHA256 and SHA512) are used, and there are equivalent tools available to
work with these.</p>

<p>To ensure that the checksums files themselves are correct, use
GnuPG to verify them against the accompanying signature files
(e.g. <tt>MD5SSUMS.sign</tt>). The keys used for these signatures are
all in the <a href="http://keyring.debian.org";>Debian GPG keyring</a>
and the best way to check them is to use that keyring to validate via
the web of trust. To make life easier for users, here are the
fingerprints for the keys that have been used for releases in recent
years (with some UIDs removed for clarity):</p>

#include "$(ENGLISHDIR)/CD/CD-keys.data"

Official <q>role</q> keys have gradually replaced the use of personal
keys belonging to developers. However, a decision was made not to go
back and re-sign all the old releases that were
already signed using the older keys.</p>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: