[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(2nd try) Add extra page at /CD/verify.html



Now with the correct To: address :-/

With reference to
http://lists.debian.org/debian-cd/2011/03/msg00071.html, I've written
something up.

wml attached, plus a diff to link it into /CD/index.html I hope.

Please review / commit?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
You raise the blade, you make the change... You re-arrange me 'til I'm sane...
Index: index.wml
===================================================================
RCS file: /cvsroot/webwml/webwml/english/CD/index.wml,v
retrieving revision 1.34
diff -u -p -r1.34 index.wml
--- index.wml	21 Feb 2011 23:04:13 -0000	1.34
+++ index.wml	16 Mar 2011 17:47:33 -0000
@@ -47,6 +47,9 @@ Install</a> media which is a smaller dow
 
 </ul>
 
+<p>Official CD releases are signed so that you can <a
+href="verify">verify they are authentic</a>.</p>
+
 <p>Debian is available for different computer architectures - make
 sure you are getting images that match your computer! (Most people
 will need images for "i386", i.e. Intel systems.) Once you have
#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true
#use wml::debian::release_info
#use wml::debian::release_info

<p>Official releases of Debian CDs come with signed checksum
files. These allow you to check that the images you download are
correct. First of all, the checksum can be used to check that the CDs
have not been corrupted during download. Secondly, the signatures on
the checksum files allow you to confirm that the files are the ones
officially released by the Debian CD / Debian Live team and have not
been tampered with.</p>

<p>To validate the contents of a CD image, first of all use the
appropriate checksum tool. For older archived CD releases, only MD5
checksums were generated in the <tt>MD5SUMS</tt> files; you should use
the tool <tt>md5sum</tt> to work with these. For newer releases, we
have moved to newer, cryptographically stronger checksum algorithms
(SHA1, SHA256 and SHA512) and there are equivalent tools available to
work with these.</p>

<p>To ensure that the checksums files themselves are correct, use
GnuPG to verify them against the accompanying signature files
(e.g. <tt>MD5SSUMS.sign</tt>). The keys used for these signatures are
all in the <a href="http://keyring.debian.org";>Debian GPG keyring</a>
and the best way to check them is to use that keyring to validate via
the web of trust. To make life easier for users, here are the
fingerprints for the keys that have been used for releases in recent
years (with some UIDs removed for clarity):</p>

<p><pre>
pub   1024D/88C7C1F7 1999-01-30
      Key fingerprint = AC65 6D79 E362 32CF 77BB  B0E8 7C3B 7970 88C7 C1F7
uid                  Steve McIntyre <93sam@debian.org>
uid                  Debian CD signing key <debian-cd@lists.debian.org>

pub   1024D/F6A32A8E 2000-09-16
      Key fingerprint = 3F0A 12FC 0B55 A917 D791  82D3 72FD C205 F6A3 2A8E
uid                  Santiago Garcia Mantinan (manty) <manty@debian.org>
sub   1024g/8D0EB704 2000-09-16

pub   1024D/4B2B2B9E 2004-06-20
      Key fingerprint = 709F 54E4 ECF3 1956 2332  6AE3 F82E 5CC0 4B2B 2B9E
uid                  Daniel Baumann <daniel@debian.org>
sub   1024g/19ED1B2F 2004-06-20

pub   4096R/5CEE3195 2009-05-21
      Key fingerprint = D2FB 633A DDC2 0485 CBCE  6D12 39BE 2D72 5CEE 3195
uid                  Daniel Baumann <daniel@debian.org>
sub   4096R/E7D77F65 2009-05-21

pub   4096R/64E6EA7D 2009-10-03
      Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
uid                  Debian CD signing key <debian-cd@lists.debian.org>

pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05
</pre></p>

<p>We have gradually moved away from using the personal keys belonging
to developers to using official "role" keys instead. However, we have
decided not to go back and re-sign all the old releases that were
already signed using the older keys.</p>

Attachment: signature.asc
Description: Digital signature


Reply to: