Re: Proposal for update of http://debian.org/CD/faq/#verify

[Naja Melan <najamelan@gmail.com>]

I just noticed that in hashtab sha256 is not enabled by default, so I would further add the following sentence to the windows/mac instructions:

"SHA256 is not enabled by default in HashTab, so you will have to click options and enable it."

 
Török Edwin <edwintorok@gmail.com> wrote:

What if you already have an older Debian install, or an older Debian CD (that you already verified/trust by other means)?
There should be a chain of trust from the signing keys used on the old CDs all the way to the signing key used on the new CD, right?

Is there an easy way to check the signing key, given an older Debian CD? (besides booting from it, and checking the new key with gpg)?

I have thought about this, but I don't have a debian box available here to test that, and so I don't know which keys are available in the keyring. I can thus not write instructions for this. Another option I thought about is that debian includes itself as a trusted CA in the browsers it ships. That might allow someone to download a key through https from https://db.debian.org.

The reason I have not mentioned this is because as far as I can tell the CD signing key is not on there, so it would be indirect if people would have to download keys from people signing the Debian cd signing key. This would make the "chain" already quite a bit longer (thus unsafer) and would seriously complicate the instructions and make them less accessible. 

If you can cook up good instructions to do such things though, go ahead. A safe way of downloading from an older debian box would probably be worthwhile, even if the initial Debian box has not been downloaded in a safe way because it allows people to minimize the potential for tampering to only the first time ever they download debian, and if an attacker missed that chance they would be fine in the future.

greets