On Sun, 2011-01-02 at 18:56 +0100, Naja Melan wrote: > Im trying to verify that the debian iso I downloaded has not been > tampered with by following the following faq entry: > > http://www.debian.org/CD/faq/#verify > > There are some things I don't understand yet. I have gotten as far as > downloading the checksum files, the iso and the signatures of the > checksum files. Now to verify the checksums I need the public key of > the keypair used to sign the checksum files. Im using gpa and > downloaded that public key. So far, all that has happened is that my > problem has been pushed down the line, because now I have a public key > in my keyring that came over the internet and I have no idea on how to > verify that one. At some point you always have a bootstrapping problem in your trust path. At some point you have to put your trust in something that you either verify yourself or get via a secure enough transport. In this case the MD5SUMS file (also SHA1SUMS, SHA256SUMS and SHA512SUMS available) can be used to verify the integrity of the iso file(s). The authenticity of the MS5SUMS file (and the others) can be verified by the .sign files which are PGP signatures. They should be signed by the Debian CD signing key. The last step is how to get the public key and verify it's authenticity. If you are part of the PGP web of trust this is easy as the key is signed by some well-connected people and you can just get it from your favourite keyserver. Another alternative would be to download the public key over some secure enough transport (e.g. an https website with a valid certificate issues to something that looks trustworthy enough). The Debian archive signing keys an be found here: https://ftp-master.debian.org/keys.html but I don't think the Debian CD signing key can be found there (nor is there a trust path from the keys you can download there). I think this is an omission. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Attachment:
signature.asc
Description: This is a digitally signed message part