Re: Verifying authenticity of Debian CDs

To: debian-user@lists.debian.org
Cc: <steve@einval.com>
Subject: Re: Verifying authenticity of Debian CDs
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Mon, 29 Apr 2019 20:12:26 +0200
Message-id: <[🔎] 25526677516726208299@scdbackup.webframe.org>
In-reply-to: <[🔎] E1hLADd-0004jO-No@mail.einval.com>
References: <[🔎] E1hLADd-0004jO-No@mail.einval.com>

Hi,

i wrote in https://lists.debian.org/debian-user/2019/04/msg00214.html
> > > SHA512SUMS.sign [...] SHA512SUMS [...] debian-9.8.0-amd64-netinst.iso

john doe wrote:
> > $ sha512sum -c --ignore-missing <CHECKSUM-FILE>
> > The '--strict' option could also be used.

Steve McIntyre wrote:
> If you're happy for me to borrow your text
> above, I think it's a good start!

I meanwhile discovered that i already wrote a more concise wiki paragraph
about that issue:
  https://wiki.debian.org/JigdoOnLive#Verify_the_Debian_Live_download

Especially this line

  gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS

is obviously an improvement over mine in msg00214.html

  gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
  gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
  gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3
  gpg --verify SHA512SUMS.sign SHA512SUMS

(In that wiki i propose to first verify the SHA512SUMS and afterwards
 the gpg signature.
 IIRC, i had in mind that transport damage of the ISO is more likely
 than transport damage of the SHA512SUMS file or malicious activities.
 Whether this is a valid idea stays undecided ... scratching head.)


Have a nice day :)

Thomas

Reply to:

References:
- Re: Verifying authenticity of Debian CDs
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: It's fixed: Oracle's virtualbox repo broken.
Next by Date: More better thanks to the stretch digikam folks
Previous by thread: Re: Verifying authenticity of Debian CDs
Next by thread: Re: Verifying authenticity of Debian CDs
Index(es):
- Date
- Thread