On 13/11/2022 19:14, Thomas George wrote:
I want to do a new verified instillation of a debian iso. I have the
iso and SHA512SUMS.sign.txt and SHHA512SUMS.txt and have tried
gpg --verify SHA512SUMS.sign.txt SHA512SUMS.txt with the result No
Public Key
I thought to skip this step and tried
gpg --verify SHA515SUMS.sign.txt debian-11.5.0-amd64-netinst.iso with
the result Can't open signed data debian-11.5.0-amd64-netinst.iso
Clearly I am making some elementary mistakes. I have spent fruitless
hours trying find and use a public key. One source suggested Curl
ipinfo.io/ip. This outputs an ip address that seams to have nothing
to do with my problem.
A reference to a step-by-step procedure would be appreciated.
https://www.debian.org/CD/verify says "The keys used for these
signatures are all in the Debian GPG keyring and the best way to check
them is to use that keyring to validate via the web of trust.". If you
are using a Debian system, you can get those keys by installing
"debian-archive-keyring". IF you're not (which is likely, given you're
trying to install Debian), then that page also lists the fingerprints
of the keys:
pub rsa4096/988021A964E6EA7D 2009-10-03
Key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6
EA7D
uid Debian CD signing key <debian-cd@lists.debian.org>
pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC]
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294
BE9B
uid Debian CD signing key <debian-cd@lists.debian.org>
pub rsa4096/42468F4009EA8AC3 2014-04-15 [SC]
Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA
8AC3
uid Debian Testing CDs Automatic Signing Key
<debian-cd@lists.debian.org>
So you should just be able to do, for example:
$ gpg --receive-keys "1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9
64E6 EA7D"
Tom George