Re: question regarding verification of a debian installation iso
On Sun, Jan 02, 2011 at 06:56:06PM +0100, Naja Melan wrote:
> hi,
>
> Im trying to verify that the debian iso I downloaded has not been tampered
> with by following the following faq entry:
>
> http://www.debian.org/CD/faq/#verify
>
> There are some things I don't understand yet. I have gotten as far as
> downloading the checksum files, the iso and the signatures of the checksum
> files. Now to verify the checksums I need the public key of the keypair used
> to sign the checksum files. Im using gpa and downloaded that public key. So
> far, all that has happened is that my problem has been pushed down the line,
> because now I have a public key in my keyring that came over the internet
> and I have no idea on how to verify that one.
>
> Could someone please tell me how I could do that? ( Assuming that all the
> people that signed that key are not at hand here at my home, and so I could
> not receive their public keys personally.)
You probably notices that other than the MD5 sums as mentioned on
the page it also has SHA1, SHA256 and SHA512 files that are
signed.
The gpg key is also in the file
/usr/share/keyrings/debian-role-keys.gpg which is in the
package debian-keyring. But then you'd still have a chicken
and egg problem getting that package I guess.
I think it all comes down to trusting _something_. Everything
should trace back to the gpg web of trust between the developers.
And if you can't trust that there is no way for you to verify it.
Kurt
Reply to: