On 11/16/22 09:13, Thomas Schmitt wrote:
Hi,
Thomas George wrote:
I am going to erase every thing I have done and start over.
There's no need for starting over. The SHA512SUM file is meanwhile
authenticated by your run of:
gpg2 --verify SHA512SUMS.sign SHA512SUMS
[...]
gpg: Good signature from "Debian CD signing key
<debian...@lists.debian.org>" [unknown]
[...]
...gpg: WARNING: This key is not certified with a trusted signature!
......There is no indication that the signature belongs to the owner
...Primary key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
The warning is normal with the Debian keys and can be ignored.
Important is the key fingerprint, which is published on
https://www.debian.org/CD/verify
as
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
I would leave it to copy+paste and the computer to compare the strings.
Remove the blanks from the published number:
echo "DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B" | sed -e 's/ //g'
which will respond by
DF9B9C49EAA9298432589D76DA87E80D6294BE9B
Copy+paste the result and the string reported by gpg --verify to a
comparison command:
test DF9B9C49EAA9298432589D76DA87E80D6294BE9B =
DF9B9C49EAA9298432589D76DA87E80D6294BE9B && echo MATCH
which responds by
MATCH
----------------------------------------------------------------------
So now you only have to verify the SHA512 checksum of the ISO by
sha512sum -c SHA515SUMS
If you want a more straightforward output:
$ sha512 sum -c SHA512SUMS --strict --ignore-missing
--
John Doe