[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: General questions

Thank you all for your answers.
1. But I mean subscriptions like this "debian-user":) But I really like your answers about Debian's freedom. I think it is useful information. Thanks.
2. I just have verified GPG's keys manually: https://keyring.debian.org/
    2.1. I have downloaded SHA512 SUMS.sign SHA512SUMS from https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/
    2.2. I have done then: gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS
    2.3. Then I have got next info: Signed was made in 30 june 2024
    And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
I have compared 2011 's key and mine and they are the same.
But is it a good idea to do that? Or do I need to download the open key and then compare them?
And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do the same actions with SHA216SUMS.sign and SHA216SUMS?

On Mon, Jul 8, 2024 at 11:00 PM Thomas Schmitt <scdbackup@gmx.net> wrote:
Hi,

cybertatoka@gmail.com wrote:
> 2. How to check Debian Image Authentication?
> Is checksum verification (sha216sum, sha512sum) enough?

Only if you are trusting the site from where you downloaded the ISO.
In that case you'd use the checksums in the files SHA256SUMS and
SHA512SUMS as mere control whether the download delivered what the server
operators intended.


> Should I verify with GPG?

The signatures in the files SHA256SUMS.sign and SHA512SUMS.sign verify that
the checksums in SHA256SUMS and SHA512SUMS are authorized by the Debian
developers who are in charge of image production.

Verify them by e.g.

  gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS

and look out for the text,

  gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
  ...
  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

First occuruence of this fingerprint in my mailbox is Oct 10 2015.

On
  https://www.debian.org/CD/verify
there are two more valid keys published which would yield:

  gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
  Primary key fingerprint:  1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D

  gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>"
  Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3

Both have their first occurence in my mailbox at Feb 16 2020.

If you see one of these texts, then you may assume the checksum files to
be valid (or the fingerprints to be undetected falsifications since years).
But if you see deviations in the fingerprint lines then this would be very
suspicious.


Have a nice day :)

Thomas

Reply to: