On Sat, Dec 24, 2016 at 10:10:27AM +0100, [email protected] wrote: > I have difficulties with the explanation on how to verify your downloaded > debian ISO.
This is really more of a question for the CD team rather than keyring-maint; I've tried my best to answer below, but have also copied debian-cd so they can comment (or perhaps just update the documentation). > On this page https://keyring.debian.org/ it says "Once you know the > key's ID ..." > > Well, how do I find out that key for my ISO? A little bit more > information would be helpful :/ I have downloaded > debian-8.6.0-amd64-CD-1.iso > > On this page https://www.debian.org/CD/verify there are 3 fingerprints > at the bottom. I do not know what a fingerprint is but apparently it's > not what I'm looking for (but then again why would they provide these > instead of a key). So where do I find the key that I need? On Sat, Dec 24, 2016 at 04:49:28PM +0100, [email protected] wrote: > to make myself more clear about what I meant this morning: > > I want to use the command > > gpg --keyserver x --recv-key y > > I know what the x must be: keyring.debian.org > > But what do I need to replace the y for? > > On this page > http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/ > I clicked on the "verification guide" > but it's not really a "guide" since it doesn't really explain what I need > to do :/ > There are just 3 fingerprints which seems unrelated to the command above. > > My ISO is debian-8.6.0-amd64-CD-1.iso So the CDs themselves are not signed; what is signed are the hashes of the images. These are the *SUMS files, with the signatures being in *SUMS.signed. So, for example, you might chose to verify the SHA256 sum of the image you have downloaded. $ wget -q http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/SHA256SUMS $ wget -q http://cdimage.debian.org/debian-cd/8.6.0/amd64/iso-cd/SHA256SUMS.sign And then verify that file: $ gpg SHA256SUMS.sign gpg: assuming signed data in 'SHA256SUMS' gpg: Signature made Sun 18 Sep 2016 17:23:45 BST gpg: using RSA key 0xDA87E80D6294BE9B gpg: Can't check signature: No public key Which helpfully tells you which key was used to sign that file; the 2nd one listed on the verification page. $ gpg --keyserver keyring.debian.org --recv-key 0xDA87E80D6294BE9B gpg: key 0xDA87E80D6294BE9B: public key "Debian CD signing key <[email protected]>" imported $ gpg SHA256SUMS.sign gpg: assuming signed data in 'SHA256SUMS' gpg: Signature made Sun 18 Sep 2016 17:23:45 BST gpg: using RSA key 0xDA87E80D6294BE9B gpg: Good signature from "Debian CD signing key <[email protected]>" [undefined] So we know that file is good. We then look for the SHA256 for the file you've downloaded: $ grep debian-8.6.0-amd64-CD-1.iso SHA256SUMS e9cb144e486409b2ea1454dceae8d46e0ebab88435cf0b6e7a18f3aa3a51c538 debian-8.6.0-amd64-CD-1.iso And you should be able to use "sha256sum" against the file you've downloaded to confirm that it matches this hash. J. -- Web [ Most people are descended from apes. Redheads are descended ] site: http:// [ from cats. ] Made by www.earth.li/~noodles/ [ ] HuggieTag 0.0.24
