Re: Verifying authenticity of Debian CDs
Hi,
i wrote in https://lists.debian.org/debian-user/2019/04/msg00214.html
> > > SHA512SUMS.sign [...] SHA512SUMS [...] debian-9.8.0-amd64-netinst.iso
john doe wrote:
> > $ sha512sum -c --ignore-missing <CHECKSUM-FILE>
> > The '--strict' option could also be used.
Steve McIntyre wrote:
> If you're happy for me to borrow your text
> above, I think it's a good start!
I meanwhile discovered that i already wrote a more concise wiki paragraph
about that issue:
https://wiki.debian.org/JigdoOnLive#Verify_the_Debian_Live_download
Especially this line
gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS
is obviously an improvement over mine in msg00214.html
gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3
gpg --verify SHA512SUMS.sign SHA512SUMS
(In that wiki i propose to first verify the SHA512SUMS and afterwards
the gpg signature.
IIRC, i had in mind that transport damage of the ISO is more likely
than transport damage of the SHA512SUMS file or malicious activities.
Whether this is a valid idea stays undecided ... scratching head.)
Have a nice day :)
Thomas
Reply to: