Re: How to download over https

To: debian-user@lists.debian.org
Subject: Re: How to download over https
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Thu, 16 Jun 2016 15:11:09 +0200
Message-id: <[🔎] 5029600280657250155@scdbackup.webframe.org>
In-reply-to: <[🔎] 7927102.VQkD3l6WS7@tecra>
References: <[🔎] 7927102.VQkD3l6WS7@tecra>

Hi,

> There are MD5 and SHA sums in that same directory. However I can only access
> those checksums through unencrypted connections. Therefore they cannot be
> used to check against 3rd party tampering.

The chain of trust begins by the public keys as decribed at
  https://www.debian.org/CD/verify
  https://keyring.debian.org/
which you use to verify the checksum file
  http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.5.0-live+nonfree/amd64/iso-hybrid/SHA512SUMS
by its signature file
  http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.5.0-live+nonfree/amd64/iso-hybrid/SHA512SUMS.sign

Then you can use the SHA512 sum of
  debian-live-8.5.0-amd64-cinnamon-desktop+nonfree.iso
to verify the downloaded ISO image.


Currently i am riddling about the exact command to get the necessary
GPG keys. On my Debian 8 installation

  $ gpg --verify SHA512SUMS.sign SHA512SUMS

knows that Debian LiveCD 8.3 SHA512SUMS.sign was created by

  gpg: Signature made Thu 28 Jan 2016 02:07:19 AM CET using RSA key ID 6294BE9B
  gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"

So i probably got the key by
  gpg --keyserver keyring.debian.org --recv-keys 6294BE9B


Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: How to download over https
  - From: "Matthew Davis" <matthew@mdavis.xyz>

References:
- How to download over https
  - From: matthew <matthew@mdavis.xyz>

Prev by Date: Re: Mailing-list configuration
Next by Date: Re: How to download over https
Previous by thread: How to download over https
Next by thread: Re: How to download over https
Index(es):
- Date
- Thread