Bug#851541: Bug#902668: Draft for rewrite of https://www.debian.org/CD/verify

2024-03-24 Thread Cyril Brulebois 
Hi,

Tassia Camoes Araujo  (2024-03-25):
> I've reviewed the proposed patch, and I think it should be applied as
> soon as possible.
> 
> It seems Laura was waiting for a final review before applying this patch
> (long overdue!), which IMHO would bring much more clarity to the image
> verification process (usually, a big struggle to new users).
> 
> We should make a decision about the long key IDs request (points 1 and 2
> from #851541), and once those changes go online, I think both bugs could
> be closed (#902668 and #851541).
> 
> Thanks for all who have invested energy to clarify this process, and I
> hope we can benefit from your work very soon!
> 
> Cheers,
> 
> Tassia. 

Cc += debian-cd@ for information.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#851541: Bug#902668: Draft for rewrite of https://www.debian.org/CD/verify

2018-06-29 Thread Laura Arjona Reina 
Thanks for your proposal.
I've taken the liberty to adapt it to the wml format, with slight rewrites and
adding some more layout, and provide a patch (see attached the current
verify.wml file, the new one, and the diff).

Please take into account that we already another open bug about this page:

#851541 www.debian.org: "CD/verify should include long key IDs"

The attached patch could solve in my opinion, the third and fourth requests of
that bug, so I'm CC'ing it too.

Cheers

El 29/06/18 a las 11:56, Fjfj109 escribió:
> Package: www.debian.org 
> 
> Version: None
> 
> Severity: Wishlist
> 
> 
> Dear maintainer,
> 
> Here is a first draft of a rewrite I did for the above mentioned URL in the 
> bug
> report. I felt it included not nearly enough useful information. Please 
> correct
> me if this is wrong and otherwise, feel free to replace the existing page with
> my edit. Any suggestions etc you might... uh... suggest, to make it better,
> please also let me know and feel free to include those too. I’ve both attached
> it and posted it below for posterity:
> 
> Official releases of Debian CDs come with signed checksum files; look for them
> alongside the images in the |iso-cd|, |jigdo-dvd|, |iso-hybrid| etc. 
> directories
> (if you can’t find the files, you can right click the download link for 
> various
> Debian images and remove the text at the end of the link specific to your
> download; aka to see the list of files for the net install on the amd64
> architecture, left clicking the link gives you
> https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.4.0-amd64-netinst.iso
> – remove the section after “iso-cd”). These allow you to check that the images
> you download are correct. First of all, the checksum can be used to check that
> the CDs have not been corrupted during download. Secondly, the signatures on 
> the
> checksum files allow you to confirm that the files are the ones officially
> released by the Debian CD / Debian Live team and have not been tampered with.
> 
> To validate the contents of a CD image, just be sure to use the appropriate
> checksum tool. Cryptographically strong checksum algorithms (SHA256 and 
> SHA512)
> are available for every releases; you should use the tools |sha256sum| or
> |sha512sum| to work with these.
> 
> To ensure that the checksums files themselves are correct, use GnuPG to verify
> them against the accompanying signature files (e.g. |SHA512SUMS.sign|). The 
> keys
> used for these signatures are all in the Debian GPG keyring
>  and the best way to check them is to use that
> keyring to validate via the web of trust. To make life easier for users, here
> are the fingerprints for the keys that have been used for releases in recent 
> years:
> 
> 
> pub   4096R/64E6EA7D 2009-10-03
>   Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
> uid  Debian CD signing key  >
> 
> pub   4096R/6294BE9B 2011-01-05
>   Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
> uid  Debian CD signing key  >
> sub   4096R/11CD9819 2011-01-05
> 
> pub   4096R/09EA8AC3 2014-04-15
>   Key fingerprint = F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
> uid  Debian Testing CDs Automatic Signing Key 
> mailto:debian...@lists.debian.org>>
> sub   4096R/6BD05CFB 2014-04-15
> 
> In more explicit terms, here is a more step by step breakdown of how one
> actually does this:
> 
> 
> 1. Download all the relevant files – the SUMS file, the signature, and the iso
> you want to download – to a single directory (so as an example if we wanted to
> use SHA512, it would be SHA512SUMS, SHA512SUMS.sign and the actual .iso file 
> itself.
> 
> 2. To verify the image against tampering (there are a few different methods of
> doing this, we choose the following arbitrarily, and we also choose SHA512, it
> can be done with less but this is cryptographically stronger): “sha512sum
> path.to.iso > verify.txt” “diff q verify.txt SHA512SUMS” (without quotes). If
> all checks out, no output should be given and we can move on to the next step.
> Else, re-download the image and try again.
> 
> 
> 3. To verify the signature: “gpg –verify SHA512SUMS.sign SHA512SUMS”. You may
> get an output like:
> 
> |gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B|
> |gpg: Can't check signature: public key not found|
> 
> So:
> 
> “gpg –keyserver keyring.debian.org –recv-keys6294BE9B”,
> 
> And then run it again: “gpg –verify SHA512SUMS.sign SHA512SUMS”. You may get 
> an
> output like the following:
> 
> |gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B|
> |gpg: Good signature from "Debian CD signing key  >"|
> |gpg: WARNING: This key is not certified with a trusted signature!|
> |gpg: There is no indication