[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for update of http://debian.org/CD/faq/#verify

On 01/26/2011 02:04 AM, Naja Melan wrote:
*3. Could a malicious attacker that feeds me an altered iso image not also feed me an altered SHA256SUMS file? Yes, they could! Http is very easy to intercept. This is where SHA256SUMS.sign comes in. This file is the pgp signature of the ***SHA256SUMS file. It is signed with the Debian CD signing key which can be obtained from hkp://keyring.debian.org/ <http://keyring.debian.org/>.* The transport from the keyserver is *not *secured, and the only way to verify you have not been fed a bogus key is through the web of trust <https://secure.wikimedia.org/wikipedia/en/wiki/Web_of_trust> if you are connected to enough people to make a path to the Debian CD signing key. 
*

*What should I do if I am not connected through the web of trust?
There is no easy answer to this.*
What if you already have an older Debian install, or an older Debian CD (that you already verified/trust by other means)? There should be a chain of trust from the signing keys used on the old CDs all the way to the signing key used on the new CD, right?
Is there an easy way to check the signing key, given an older Debian CD? (besides booting from it, and checking the new key with gpg)? 

Best regards,
--Edwinb
Reply to: