Re: How to download over https
Hi,
> There are MD5 and SHA sums in that same directory. However I can only access
> those checksums through unencrypted connections. Therefore they cannot be
> used to check against 3rd party tampering.
The chain of trust begins by the public keys as decribed at
https://www.debian.org/CD/verify
https://keyring.debian.org/
which you use to verify the checksum file
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.5.0-live+nonfree/amd64/iso-hybrid/SHA512SUMS
by its signature file
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.5.0-live+nonfree/amd64/iso-hybrid/SHA512SUMS.sign
Then you can use the SHA512 sum of
debian-live-8.5.0-amd64-cinnamon-desktop+nonfree.iso
to verify the downloaded ISO image.
Currently i am riddling about the exact command to get the necessary
GPG keys. On my Debian 8 installation
$ gpg --verify SHA512SUMS.sign SHA512SUMS
knows that Debian LiveCD 8.3 SHA512SUMS.sign was created by
gpg: Signature made Thu 28 Jan 2016 02:07:19 AM CET using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
So i probably got the key by
gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
Have a nice day :)
Thomas
Reply to: