[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question regarding verification of a debian installation iso

On Sun, 2011-01-02 at 18:56 +0100, Naja Melan wrote:
> Im trying to verify that the debian iso I downloaded has not been
> tampered with by following the following faq entry:
> http://www.debian.org/CD/faq/#verify
> There are some things I don't understand yet. I have gotten as far as
> downloading the checksum files, the iso and the signatures of the
> checksum files. Now to verify the checksums I need the public key of
> the keypair used to sign the checksum files. Im using gpa and
> downloaded that public key. So far, all that has happened is that my
> problem has been pushed down the line, because now I have a public key
> in my keyring that came over the internet and I have no idea on how to
> verify that one.

At some point you always have a bootstrapping problem in your trust
path. At some point you have to put your trust in something that you
either verify yourself or get via a secure enough transport.

In this case the MD5SUMS file (also SHA1SUMS, SHA256SUMS and SHA512SUMS
available) can be used to verify the integrity of the iso file(s).

The authenticity of the MS5SUMS file (and the others) can be verified by
the .sign files which are PGP signatures. They should be signed by the
Debian CD signing key.

The last step is how to get the public key and verify it's authenticity.
If you are part of the PGP web of trust this is easy as the key is
signed by some well-connected people and you can just get it from your
favourite keyserver. Another alternative would be to download the public
key over some secure enough transport (e.g. an https website with a
valid certificate issues to something that looks trustworthy enough).

The Debian archive signing keys an be found here:
but I don't think the Debian CD signing key can be found there (nor is
there a trust path from the keys you can download there). I think this
is an omission.

-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: