From: Daniel <daniel@visp.name>
To: Alfie John <alfiej@fastmail.fm>; debian-security@lists.debian.org
Sent: Friday, May 30, 2014 10:16 PM
Subject: Re: Debian mirrors and MITM
> The thing is: When you download an .iso file, that .iso file also contains a signing key used to verify each package it downloads during the
> installation.
> The .iso file already contains a public key, and verifies every package it downloads along the way. You can disable that by hacking a bit in the
> installer, but it does requires an effort.
> For the next problem: Some mirror might theoretically have an .iso file which has been tampered with, but you should check the checksum for
> that file with what you find in the debian web-pages. If you download a .iso file via HTTP, it might have been tampered with, and if someone is
> intercepting your request for the public key, it might be changed. But i think that would be a problem anyways...
Hello guys,
I am very confused after reading the exchanges
on this topic.
Could someone tell me whether what I have done is correct?
1. I download the *.iso file from a Debian mirror together with the SHA512SUMS and SHA512SUMS.sig
2. On the relevant Debian Wiki page (which is served via https), I search for the fingerprint of the key used to sign the downloaded *.iso file
3. On some Debian user forums, I make inquiries as to the fingerprint of the signing key for my *.iso file. I compare it with the one given by Debian Wiki. If the fingerprints are identical, I will download the signing key from pgp.mit.edu keyserver.
4. I use the signing key to verify SHA512SUMS file. If the signature is good, I proceed to verify the SHA512 hashsum against my downloaded *.iso file
Are the above steps sufficient to verify the authenticity of the downloaded *.iso file?