________________________________ From: Daniel <dan...@visp.name> To: Alfie John <alf...@fastmail.fm>; debian-security@lists.debian.org Sent: Friday, May 30, 2014 10:16 PM Subject: Re: Debian mirrors and MITM
> The thing is: When you download an .iso file, that .iso file also contains a > signing key used to verify each package it downloads during the > installation. > The .iso file already contains a public key, and verifies every package it > downloads along the way. You can disable that by hacking a bit in the > installer, but it does requires an effort. > For the next problem: Some mirror might theoretically have an .iso file which > has been tampered with, but you should check the checksum for > that file with what you find in the debian web-pages. If you download a .iso > file via HTTP, it might have been tampered with, and if someone is > intercepting your request for the public key, it might be changed. But i > think that would be a problem anyways... Hello guys, I am very confused after reading the exchanges on this topic. Could someone tell me whether what I have done is correct? 1. I download the *.iso file from a Debian mirror together with the SHA512SUMS and SHA512SUMS.sig 2. On the relevant Debian Wiki page (which is served via https), I search for the fingerprint of the key used to sign the downloaded *.iso file 3. On some Debian user forums, I make inquiries as to the fingerprint of the signing key for my *.iso file. I compare it with the one given by Debian Wiki. If the fingerprints are identical, I will download the signing key from pgp.mit.edu keyserver. 4. I use the signing key to verify SHA512SUMS file. If the signature is good, I proceed to verify the SHA512 hashsum against my downloaded *.iso file Are the above steps sufficient to verify the authenticity of the downloaded *.iso file?