Bug#902668: Draft for rewrite of https://www.debian.org/CD/verify
Thanks for your proposal.
I've taken the liberty to adapt it to the wml format, with slight rewrites and
adding some more layout, and provide a patch (see attached the current
verify.wml file, the new one, and the diff).
Please take into account that we already another open bug about this page:
#851541 www.debian.org: "CD/verify should include long key IDs"
The attached patch could solve in my opinion, the third and fourth requests of
that bug, so I'm CC'ing it too.
Cheers
El 29/06/18 a las 11:56, Fjfj109 escribió:
> Package: www.debian.org <http://www.debian.org/>
>
> Version: None
>
> Severity: Wishlist
>
>
> Dear maintainer,
>
> Here is a first draft of a rewrite I did for the above mentioned URL in the bug
> report. I felt it included not nearly enough useful information. Please correct
> me if this is wrong and otherwise, feel free to replace the existing page with
> my edit. Any suggestions etc you might... uh... suggest, to make it better,
> please also let me know and feel free to include those too. I’ve both attached
> it and posted it below for posterity:
>
> Official releases of Debian CDs come with signed checksum files; look for them
> alongside the images in the |iso-cd|, |jigdo-dvd|, |iso-hybrid| etc. directories
> (if you can’t find the files, you can right click the download link for various
> Debian images and remove the text at the end of the link specific to your
> download; aka to see the list of files for the net install on the amd64
> architecture, left clicking the link gives you
> https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.4.0-amd64-netinst.iso
> – remove the section after “iso-cd”). These allow you to check that the images
> you download are correct. First of all, the checksum can be used to check that
> the CDs have not been corrupted during download. Secondly, the signatures on the
> checksum files allow you to confirm that the files are the ones officially
> released by the Debian CD / Debian Live team and have not been tampered with.
>
> To validate the contents of a CD image, just be sure to use the appropriate
> checksum tool. Cryptographically strong checksum algorithms (SHA256 and SHA512)
> are available for every releases; you should use the tools |sha256sum| or
> |sha512sum| to work with these.
>
> To ensure that the checksums files themselves are correct, use GnuPG to verify
> them against the accompanying signature files (e.g. |SHA512SUMS.sign|). The keys
> used for these signatures are all in the Debian GPG keyring
> <https://keyring.debian.org/> and the best way to check them is to use that
> keyring to validate via the web of trust. To make life easier for users, here
> are the fingerprints for the keys that have been used for releases in recent years:
>
>
> pub 4096R/64E6EA7D 2009-10-03
> Key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D
> uid Debian CD signing key <debian-cd@lists.debian.org <mailto:debian-cd@lists.debian.org>>
>
> pub 4096R/6294BE9B 2011-01-05
> Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
> uid Debian CD signing key <debian-cd@lists.debian.org <mailto:debian-cd@lists.debian.org>>
> sub 4096R/11CD9819 2011-01-05
>
> pub 4096R/09EA8AC3 2014-04-15
> Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
> uid Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org <mailto:debian-cd@lists.debian.org>>
> sub 4096R/6BD05CFB 2014-04-15
>
> In more explicit terms, here is a more step by step breakdown of how one
> actually does this:
>
>
> 1. Download all the relevant files – the SUMS file, the signature, and the iso
> you want to download – to a single directory (so as an example if we wanted to
> use SHA512, it would be SHA512SUMS, SHA512SUMS.sign and the actual .iso file itself.
>
> 2. To verify the image against tampering (there are a few different methods of
> doing this, we choose the following arbitrarily, and we also choose SHA512, it
> can be done with less but this is cryptographically stronger): “sha512sum
> path.to.iso > verify.txt” “diff q verify.txt SHA512SUMS” (without quotes). If
> all checks out, no output should be given and we can move on to the next step.
> Else, re-download the image and try again.
>
>
> 3. To verify the signature: “gpg –verify SHA512SUMS.sign SHA512SUMS”. You may
> get an output like:
>
> |gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B|
> |gpg: Can't check signature: public key not found|
>
> So:
>
> “gpg –keyserver keyring.debian.org –recv-keys6294BE9B”,
>
> And then run it again: “gpg –verify SHA512SUMS.sign SHA512SUMS”. You may get an
> output like the following:
>
> |gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B|
> |gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org
> <mailto:debian-cd@lists.debian.org>>"|
> |gpg: WARNING: This key is not certified with a trusted signature!|
> |gpg: There is no indication that the signature belongs to the owner.|
> |Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B|
>
> 4. Verify this fingerprint is legitimate using one of the codes (fingerprints)
> located above. This document will change to reflect what the Debian project uses.
>
>
--
Laura Arjona Reina
https://wiki.debian.org/LauraArjona
--- verify.wml 2018-06-29 12:50:45.534184424 +0200
+++ verify.wml.new 2018-06-29 13:53:17.881180304 +0200
@@ -1,9 +1,30 @@
#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true
+#use wml::fmt::verbatim
<p>
Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the <code>iso-cd</code>,
<code>jigdo-dvd</code>, <code>iso-hybrid</code> etc. directories.
+</p>
+
+<p>
+If you canâ??t find the files, you can right click and copy the download link
+for various Debian images, and then remove the text at the end of the link
+specific to your download to get the URL of the folder containing both the
+images to download and the corresponding signed checksum files.
+</p>
+
+<p>
+E.g. to see the list of files for the net install on the amd64 architecture,
+the URL of the image could be something like this:
+
+<code>https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.4.0-amd64-netinst.iso</code>
+
+and you should remove remove the section after <code>iso-cd</code> to get the URL
+of the folder containing the signed checksum files.
+</p>
+
+<p>
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
@@ -33,3 +54,68 @@
</p>
#include "$(ENGLISHDIR)/CD/CD-keys.data"
+
+
+<p>
+Here is a more step by step guide for verifying authenticity of Debian CDs:
+</p>
+
+<p>
+<strong>1. Download</strong> all the relevant files â?? the SUMS file, the signature,
+and the iso you want to download â?? to a single directory
+(so as an example if we wanted to use SHA512, it would be
+SHA512SUMS, SHA512SUMS.sign and the actual .iso file itself.
+</p>
+
+<p>
+<strong>2. Verify the image</strong> against tampering, running the following commands
+(there are a few different methods of doing this, this is only one):
+
+<verbatim>
+sha512sum path.to.iso > verify.txt
+diff q verify.txt SHA512SUMS
+</verbatim>
+
+<p>
+If all checks out, no output should be given and we can move on to the next step.
+Else, re-download the image and try again.
+</p>
+
+<p>
+<strong>3. Verify the signature</strong>, running:
+
+<verbatim>
+gpg --verify SHA512SUMS.sign SHA512SUMS
+</verbatim>
+
+You may get an output like:
+
+<verbatim>
+gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
+gpg: Can't check signature: public key not found
+</verbatim>
+
+<p>
+In this case you would need to run:
+</p>
+
+<verbatim>
+gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
+</verbatim>
+
+<p>And then run the <code>gpg --verify SHA512SUMS.sign SHA512SUMS</code> command again.
+You may get an output like the following:
+</p>
+
+<verbatim>
+gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
+gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg: There is no indication that the signature belongs to the owner.
+Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
+</verbatim>
+
+<p>
+<strong>4. Verify this fingerprint is legitimate</strong> using one of the codes (fingerprints)
+located above. This document will change to reflect what the Debian project uses.
+</p>
#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true
#use wml::fmt::verbatim
<p>
Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the <code>iso-cd</code>,
<code>jigdo-dvd</code>, <code>iso-hybrid</code> etc. directories.
</p>
<p>
If you can’t find the files, you can right click and copy the download link
for various Debian images, and then remove the text at the end of the link
specific to your download to get the URL of the folder containing both the
images to download and the corresponding signed checksum files.
</p>
<p>
E.g. to see the list of files for the net install on the amd64 architecture,
the URL of the image could be something like this:
<code>https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.4.0-amd64-netinst.iso</code>
and you should remove remove the section after <code>iso-cd</code> to get the URL
of the folder containing the signed checksum files.
</p>
<p>
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.
</p>
<p>
To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you should use the tools
<code>sha256sum</code> or <code>sha512sum</code> to work with these.
</p>
<p>
To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
<code>SHA512SUMS.sign</code>).
The keys used for these signatures are all in the <a
href="https://keyring.debian.org";>Debian GPG keyring</a> and the best
way to check them is to use that keyring to validate via the web of
trust.
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:
</p>
#include "$(ENGLISHDIR)/CD/CD-keys.data"
<p>
Here is a more step by step guide for verifying authenticity of Debian CDs:
</p>
<p>
<strong>1. Download</strong> all the relevant files – the SUMS file, the signature,
and the iso you want to download – to a single directory
(so as an example if we wanted to use SHA512, it would be
SHA512SUMS, SHA512SUMS.sign and the actual .iso file itself.
</p>
<p>
<strong>2. Verify the image</strong> against tampering, running the following commands
(there are a few different methods of doing this, this is only one):
<verbatim>
sha512sum path.to.iso > verify.txt
diff q verify.txt SHA512SUMS
</verbatim>
<p>
If all checks out, no output should be given and we can move on to the next step.
Else, re-download the image and try again.
</p>
<p>
<strong>3. Verify the signature</strong>, running:
<verbatim>
gpg --verify SHA512SUMS.sign SHA512SUMS
</verbatim>
You may get an output like:
<verbatim>
gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
</verbatim>
<p>
In this case you would need to run:
</p>
<verbatim>
gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
</verbatim>
<p>And then run the <code>gpg --verify SHA512SUMS.sign SHA512SUMS</code> command again.
You may get an output like the following:
</p>
<verbatim>
gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
</verbatim>
<p>
<strong>4. Verify this fingerprint is legitimate</strong> using one of the codes (fingerprints)
located above. This document will change to reflect what the Debian project uses.
</p>
#use wml::debian::cdimage title="Verifying authenticity of Debian CDs" BARETITLE=true
<p>
Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the <code>iso-cd</code>,
<code>jigdo-dvd</code>, <code>iso-hybrid</code> etc. directories.
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.
</p>
<p>
To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you should use the tools
<code>sha256sum</code> or <code>sha512sum</code> to work with these.
</p>
<p>
To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
<code>SHA512SUMS.sign</code>).
The keys used for these signatures are all in the <a
href="https://keyring.debian.org";>Debian GPG keyring</a> and the best
way to check them is to use that keyring to validate via the web of
trust.
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:
</p>
#include "$(ENGLISHDIR)/CD/CD-keys.data"
Reply to: