subject:"Verifying authenticity of Debian CDs"

Re: Verifying authenticity of Debian CDs

2020-07-28 Thread davidson


On Fri, 24 Jul 2020 Andrew Cater wrote:

And it turns out that /etc/apt/trusted.gpg has the buster-stable, the
buster-automatic and the buster-security keys by default but _NOT_ the
debian-cd signing key so the stage of importing the key to match the
specific Debian CD signing key is still valid.


If you are doing all this on a debian system you trust, the keys you
want are installed by the package

 debian-keyring

in

 /usr/share/keyrings/debian-role-keys.gpg

About one month ago I detailed here how they can be used:

 lists.debian.org/msgid-search/alpine.deb.2.21.2006240945240.28...@azone.org

--
Ce qui est important est rarement urgent
et ce qui est urgent est rarement important
-- Dwight David Eisenhower

Re: Verifying authenticity of Debian CDs

2020-07-28 Thread davidson


On Fri, 24 Jul 2020 Stefan Monnier wrote:

[On 24 Jul 2020 Semih Ozlem wrote:]

when I run the command
gpg --verify SHAxSUM.sign SHAxSUM
I get a message saying that

Can't check signature: No public key


Somone recently asked a similar question.

In case you already have access to a debian system that you trust, you
might find my reply to them helpful

 24 June 2020, davidson wrote to debian-user
 lists.debian.org/msgid-search/alpine.deb.2.21.2006240945240.28...@azone.org

along with an edit for clarity:

 lists.debian.org/msgid-search/alpine.deb.2.21.2006241221420.28...@azone.org


You should have the needed key(s) in /etc/apt/trusted.gpg, but to be
honest I don't know how to best pass those to GPG.


I do not have that file on any system at hand. Instead, I have many
debian-archive-*.gpg keyrings in the directory

 /etc/apt/trusted.gpg.d

and I notice that none of them contain Debian CD signing keys.

The the package debian-keyring installs

 /usr/share/keyrings/debian-role-keys.gpg

which most likely contains the optical media signing key needed here.

--
Ce qui est important est rarement urgent
et ce qui est urgent est rarement important
-- Dwight David Eisenhower

Re: Verifying authenticity of Debian CDs

2020-07-24 Thread john doe


On 7/24/2020 6:08 PM, Semih Ozlem wrote:

No that does not work, for some reason it is saying
"no command supplied" when corrected with dashes before verify I am getting
the old problem


Yep, I forgot the dashes befor 'verify'..

'gpg --keyserver-options auto-key-retrieve --verify SHA512SUMS.sign
SHA512SUMS'

--
John Doe

Re: Verifying authenticity of Debian CDs

2020-07-24 Thread Andrew Cater

And it turns out that /etc/apt/trusted.gpg has the buster-stable, the
buster-automatic and the buster-security keys by default but _NOT_ the
debian-cd signing key so the stage of importing the key to match the
specific Debian CD signing key is still valid.

All best, as ever,

Andy C.

On Fri, Jul 24, 2020 at 4:29 PM Andrew Cater  wrote:

> I've just written up longer instructions on my own web page at FLOSSlinux
>  which should explain the steps
> I've just followed for myself. Check those and see what you think. I'll
> have a go at importing from /etc/apt/trusted.gpg and see what that looks
> like. That, of course, is the keyring that apt and aptitude use for master
> verification of Debian packages as part of the verification process before
> package installation - so the master keys for the whole of the trust for
> package installation on a Debian system.
>
> On Fri, Jul 24, 2020 at 4:20 PM Stefan Monnier 
> wrote:
>
>> > when I run the command
>> > gpg --verify SHAxSUM.sign SHAxSUM
>> > I get a message saying that
>> >
>> > Can't check signature: No public key
>>
>> You should have the needed key(s) in /etc/apt/trusted.gpg, but to be
>> honest I don't know how to best pass those to GPG.
>>
>>
>> Stefan
>>
>>

Re: Verifying authenticity of Debian CDs

2020-07-24 Thread Andrew Cater

I've just written up longer instructions on my own web page at FLOSSlinux
 which should explain the steps I've
just followed for myself. Check those and see what you think. I'll have a
go at importing from /etc/apt/trusted.gpg and see what that looks like.
That, of course, is the keyring that apt and aptitude use for master
verification of Debian packages as part of the verification process before
package installation - so the master keys for the whole of the trust for
package installation on a Debian system.

On Fri, Jul 24, 2020 at 4:20 PM Stefan Monnier 
wrote:

> > when I run the command
> > gpg --verify SHAxSUM.sign SHAxSUM
> > I get a message saying that
> >
> > Can't check signature: No public key
>
> You should have the needed key(s) in /etc/apt/trusted.gpg, but to be
> honest I don't know how to best pass those to GPG.
>
>
> Stefan
>
>

Re: Verifying authenticity of Debian CDs

2020-07-24 Thread Stefan Monnier

> when I run the command
> gpg --verify SHAxSUM.sign SHAxSUM
> I get a message saying that
>
> Can't check signature: No public key

You should have the needed key(s) in /etc/apt/trusted.gpg, but to be
honest I don't know how to best pass those to GPG.


Stefan

Re: Verifying authenticity of Debian CDs

2020-07-24 Thread john doe


On 7/24/2020 5:50 PM, Semih Ozlem wrote:

On the web page
https://www.debian.org/CD/verify
I am trying to follow the next paragraph.
"To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g. SHA512SUMS.sign).
The keys used for these signatures are all in the Debian GPG keyring
 and the best way to check them is to use that
keyring to validate via the web of trust."

when I run the command
gpg --verify SHAxSUM.sign SHAxSUM
I get a message saying that

Can't check signature: No public key

How should I proceed to get the necessary public key.
I tried following the link on this page to https://keyring.debian.org/
but I was not able to follow what to do. I tried simple copy and paste of
commands on this page, or their small variants, but was not able to get any
results.

Can someone help please



If you have internet access, give a shot to the below command:

$ gpg --keyserver-options auto-key-retrieve verify SHA512SUMS.sign
SHA512SUMS

Assuming that it works, the next command will be:

$ sha512sum --strict --ignore-missing -c SHA512SUMS

--
John Doe

Verifying authenticity of Debian CDs

2020-07-24 Thread Semih Ozlem

On the web page
https://www.debian.org/CD/verify
I am trying to follow the next paragraph.
"To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g. SHA512SUMS.sign).
The keys used for these signatures are all in the Debian GPG keyring
 and the best way to check them is to use that
keyring to validate via the web of trust."

when I run the command
gpg --verify SHAxSUM.sign SHAxSUM
I get a message saying that

Can't check signature: No public key

How should I proceed to get the necessary public key.
I tried following the link on this page to https://keyring.debian.org/
but I was not able to follow what to do. I tried simple copy and paste of
commands on this page, or their small variants, but was not able to get any
results.

Can someone help please

Thank you in advance.

Semih Ozlem

Re: Verifying authenticity of Debian CDs

2019-04-29 Thread Thomas Schmitt

Hi,

i wrote in https://lists.debian.org/debian-user/2019/04/msg00214.html
> > > SHA512SUMS.sign [...] SHA512SUMS [...] debian-9.8.0-amd64-netinst.iso

john doe wrote:
> > $ sha512sum -c --ignore-missing 
> > The '--strict' option could also be used.

Steve McIntyre wrote:
> If you're happy for me to borrow your text
> above, I think it's a good start!

I meanwhile discovered that i already wrote a more concise wiki paragraph
about that issue:
  https://wiki.debian.org/JigdoOnLive#Verify_the_Debian_Live_download

Especially this line

  gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS

is obviously an improvement over mine in msg00214.html

  gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
  gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
  gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3
  gpg --verify SHA512SUMS.sign SHA512SUMS

(In that wiki i propose to first verify the SHA512SUMS and afterwards
 the gpg signature.
 IIRC, i had in mind that transport damage of the ISO is more likely
 than transport damage of the SHA512SUMS file or malicious activities.
 Whether this is a valid idea stays undecided ... scratching head.)


Have a nice day :)

Thomas

Re: Verifying authenticity of Debian CDs

2019-04-29 Thread Steve McIntyre

[ I often skim the debian-user list, but when I'm away on vacation or
  at a conference I'll miss things unless I'm directly CC:ed ]

Thomas wrote:
>Hi,
>
>Chris XX wrote:
>> I was trying to Verify the authenticity of Debian CDs on your website, but I
>> don't see instructions that will guide me through the process
>> (step-by-step).
>
>(We are the users. But some Debian Developers are watching, too.)
>
>Obviously there is a gap between checksum file verification and .iso image
>verification.
>
>Let's first look at the files offered for download:
>  https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
>has among others

...

>  ...
>  Found:
>0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229
>  Expected: 
>cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
>  MISMATCH: 'debian-9.8.0-amd64-netinst.iso' checksum differs from 
> 'debian-9.8.0-amd64-netinst.iso' in 'SHA512SUMS'
>
>So you know that the checksumers really detect nearly all damages of
>debian-9.8.0-amd64-netinst.iso.
>
>--
>
>@ Steve McIntyre (maintainer of debian-cd):
>
>Do you agree with the instructions above ?

Yes, that's a very clear description. Thanks!

>Is there a consolidated wiki page with such instructions which i failed
>to find ? If not: shall we make such a page ?

I'm working with the web team to update our web pages for image
download, and part of that will include a much clearer set of
verification instructions. If you're happy for me to borrow your text
above, I think it's a good start!

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Re: Verifying authenticity of Debian CDs

2019-04-11 Thread john doe

On 4/11/2019 6:35 PM, Default User wrote:
> On Fri, Apr 5, 2019, 18:06 Thomas Schmitt  wrote:
>
>> Hi,
>>
>> Chris XX wrote:
>>> I was trying to Verify the authenticity of Debian CDs on your website,
>> but I
>>> don't see instructions that will guide me through the process
>>> (step-by-step).
>>
>> (We are the users. But some Debian Developers are watching, too.)
>>
>> Obviously there is a gap between checksum file verification and .iso image
>> verification.
>>
>> Let's first look at the files offered for download:
>>   https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
>> has among others
>>
>>   SHA512SUMS.sign
>>   SHA512SUMS
>>   debian-9.8.0-amd64-netinst.iso
>>
>>> https://www.debian.org/CD/verify
>>
>> This publishes the key "fingerprints" by which you can recognize authentic
>> pairs of SHA512SUMS.sign and SHA512SUMS.
>>
>> It points to
>>   https://keyring.debian.org/
>> where you probably shall learn how to obtain the keys in question,
>> namely by the shell commands
>>
>>   gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
>>   gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>>   gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3
>>
>> Experienced users of gpg would know that one can check authenticity by
>>
>>   gpg --verify SHA512SUMS.sign SHA512SUMS
>>
>> which should say something like
>>
>>   gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID
>> 6294BE9B
>>   gpg: Good signature from "Debian CD signing key <
>> debian...@lists.debian.org>"
>>   gpg: WARNING: This key is not certified with a trusted signature!
>>   gpg:  There is no indication that the signature belongs to the
>> owner.
>>   Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294
>> BE9B
>>
>> The reported fingerprint must be one of the published fingerprints,
>> or else something is fishy.
>> Here it is the Debian one of 2011-01-05. I.e. all is well so far.
>>
>> If you change some character in SHA512SUMS and run above command again
>> then you will see
>>
>>   gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID
>> 6294BE9B
>>   gpg: BAD signature from "Debian CD signing key <
>> debian...@lists.debian.org>"
>>
>>
>> So you can trust the content of SHA512SUMS, if gpg --verify says it is
>> good and if the key fingerprint matches one of the Debian fingerprints.
>>
>> Now you have to follow the tiny link "faq" at the bottom to
>>   https://www.debian.org/CD/faq/
>> where you hop to
>>   https://www.debian.org/CD/faq/#verify
>>
>> Between the lines you read that there is a text line in SHA512SUMS which
>> shows the name of the .iso file which you actually want to verify:
>>
>>
>> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
>> debian-9.8.0-amd64-netinst.iso
>>
>> More explicite is the hint to use program "sha512sum". A run of
>>
>>   sha512sum debian-9.8.0-amd64-netinst.iso
>>
>> puts out
>>
>>
>> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
>> debian-9.8.0-amd64-netinst.iso
>>
>> which you should compare with the line in SHA512SUMS.
>>
>> Alternatively you could run
>>
>>   sha512sum --check SHA512SUMS 2>/dev/null
>>
The STDERR redirection to the null device could be avoided by using
'--ignore-missing'.

$ sha512sum -c --ignore-missing 

The '--strict' option could also be used.


"The following five options are useful only when verifying checksums:
...
  --ignore-missing  don't fail or report status for missing files
...
  --strict exit non-zero for improperly formatted checksum lines
..."

--
John Doe

Re: Verifying authenticity of Debian CDs

2019-04-11 Thread Default User

On Fri, Apr 5, 2019, 18:06 Thomas Schmitt  wrote:

> Hi,
>
> Chris XX wrote:
> > I was trying to Verify the authenticity of Debian CDs on your website,
> but I
> > don't see instructions that will guide me through the process
> > (step-by-step).
>
> (We are the users. But some Debian Developers are watching, too.)
>
> Obviously there is a gap between checksum file verification and .iso image
> verification.
>
> Let's first look at the files offered for download:
>   https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
> has among others
>
>   SHA512SUMS.sign
>   SHA512SUMS
>   debian-9.8.0-amd64-netinst.iso
>
> > https://www.debian.org/CD/verify
>
> This publishes the key "fingerprints" by which you can recognize authentic
> pairs of SHA512SUMS.sign and SHA512SUMS.
>
> It points to
>   https://keyring.debian.org/
> where you probably shall learn how to obtain the keys in question,
> namely by the shell commands
>
>   gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
>   gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>   gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3
>
> Experienced users of gpg would know that one can check authenticity by
>
>   gpg --verify SHA512SUMS.sign SHA512SUMS
>
> which should say something like
>
>   gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID
> 6294BE9B
>   gpg: Good signature from "Debian CD signing key <
> debian...@lists.debian.org>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:  There is no indication that the signature belongs to the
> owner.
>   Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294
> BE9B
>
> The reported fingerprint must be one of the published fingerprints,
> or else something is fishy.
> Here it is the Debian one of 2011-01-05. I.e. all is well so far.
>
> If you change some character in SHA512SUMS and run above command again
> then you will see
>
>   gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID
> 6294BE9B
>   gpg: BAD signature from "Debian CD signing key <
> debian...@lists.debian.org>"
>
>
> So you can trust the content of SHA512SUMS, if gpg --verify says it is
> good and if the key fingerprint matches one of the Debian fingerprints.
>
> Now you have to follow the tiny link "faq" at the bottom to
>   https://www.debian.org/CD/faq/
> where you hop to
>   https://www.debian.org/CD/faq/#verify
>
> Between the lines you read that there is a text line in SHA512SUMS which
> shows the name of the .iso file which you actually want to verify:
>
>
> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
> debian-9.8.0-amd64-netinst.iso
>
> More explicite is the hint to use program "sha512sum". A run of
>
>   sha512sum debian-9.8.0-amd64-netinst.iso
>
> puts out
>
>
> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
> debian-9.8.0-amd64-netinst.iso
>
> which you should compare with the line in SHA512SUMS.
>
> Alternatively you could run
>
>   sha512sum --check SHA512SUMS 2>/dev/null
>
> to get
>
>   debian-9.8.0-amd64-netinst.iso: OK
>   debian-9.8.0-amd64-xfce-CD-1.iso: FAILED open or read
>   debian-mac-9.8.0-amd64-netinst.iso: FAILED open or read
>
> Or you could download
>
>   https://people.debian.org/~danchev/debian-iso/check_debian_iso
>
> and run
>
>   chmod u+x ./check_debian_iso
>   ./check_debian_iso SHA512SUMS debian-9.8.0-amd64-netinst.iso
>
> to get
>
>   Piping 149504 blocks of 'debian-9.8.0-amd64-netinst.iso' through
> 'sha512sum'
>   to verify checksum list item 'debian-9.8.0-amd64-netinst.iso'.
>   149504+0 records in
>   149504+0 records out
>   306184192 bytes (306 MB) copied, 0.882765 s, 347 MB/s
>   Ok: 'debian-9.8.0-amd64-netinst.iso' matches
> 'debian-9.8.0-amd64-netinst.iso' in 'SHA512SUMS'
>
>
> Now let's see what happens if a single byte is altered in the .iso
>
>   dd if=/dev/zero bs=1 count=1 conv=notrunc seek=511
> of=debian-9.8.0-amd64-netinst.iso
>
> Now the proposed verifyier runs yield:
>
>
> 0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229
> debian-9.8.0-amd64-netinst.iso
>
> which does obviously not match the line in SHA512SUMS, or
>
>   debian-9.8.0-amd64-netinst.iso: FAILED
>   ...
>
> or
>
>   ...
>   Found:
>  
> 0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229
>   Expected:
> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
>   MISMATCH: 'debian-9.8.0-amd64-netinst.iso' checksum differs from
> 'debian-9.8.0-amd64-netinst.iso' in 'SHA512SUMS'
>
> So you know that the checksumers really detect nearly all damages of
> debian-9.8.0-amd64-netinst.iso.
>
> ---

Re: Verifying authenticity of Debian CDs

2019-04-06 Thread john doe

On 4/5/2019 10:26 PM, Chris XX wrote:
> I was trying to Verify the authenticity of Debian CDs on your website, but

What flavor of Debian do you want to instal?
What OS ("linux","Windows,""Mac") are you using to download "Debian"?

> I don't see instructions that will guide me through the process
> (step-by-step).
>

Answers to the above questions are required to be able to answer this
question.

This process is actualy in two folds:
- Insuring that the downloaded file is properly downloaded
- Verifying that the downloaded file has not been tampered with

To do that for  a Debian file three files are needed:
- SHA512SUMS.sign
- SHA512SUMS
- Iso file

--
John Doe

Re: Verifying authenticity of Debian CDs

2019-04-05 Thread Thomas Schmitt

Hi,

Chris XX wrote:
> I was trying to Verify the authenticity of Debian CDs on your website, but I
> don't see instructions that will guide me through the process
> (step-by-step).

(We are the users. But some Debian Developers are watching, too.)

Obviously there is a gap between checksum file verification and .iso image
verification.

Let's first look at the files offered for download:
  https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
has among others

  SHA512SUMS.sign
  SHA512SUMS
  debian-9.8.0-amd64-netinst.iso

> https://www.debian.org/CD/verify

This publishes the key "fingerprints" by which you can recognize authentic
pairs of SHA512SUMS.sign and SHA512SUMS.

It points to
  https://keyring.debian.org/
where you probably shall learn how to obtain the keys in question,
namely by the shell commands

  gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
  gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
  gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3

Experienced users of gpg would know that one can check authenticity by

  gpg --verify SHA512SUMS.sign SHA512SUMS

which should say something like

  gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID 6294BE9B
  gpg: Good signature from "Debian CD signing key "
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:  There is no indication that the signature belongs to the owner.
  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

The reported fingerprint must be one of the published fingerprints,
or else something is fishy.
Here it is the Debian one of 2011-01-05. I.e. all is well so far.

If you change some character in SHA512SUMS and run above command again
then you will see

  gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID 6294BE9B
  gpg: BAD signature from "Debian CD signing key "

So you can trust the content of SHA512SUMS, if gpg --verify says it is
good and if the key fingerprint matches one of the Debian fingerprints.

Now you have to follow the tiny link "faq" at the bottom to
  https://www.debian.org/CD/faq/
where you hop to
  https://www.debian.org/CD/faq/#verify

Between the lines you read that there is a text line in SHA512SUMS which
shows the name of the .iso file which you actually want to verify:

cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
  debian-9.8.0-amd64-netinst.iso

More explicite is the hint to use program "sha512sum". A run of

  sha512sum debian-9.8.0-amd64-netinst.iso

puts out

cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
  debian-9.8.0-amd64-netinst.iso

which you should compare with the line in SHA512SUMS.

Alternatively you could run

  sha512sum --check SHA512SUMS 2>/dev/null

to get

  debian-9.8.0-amd64-netinst.iso: OK
  debian-9.8.0-amd64-xfce-CD-1.iso: FAILED open or read
  debian-mac-9.8.0-amd64-netinst.iso: FAILED open or read

Or you could download

  https://people.debian.org/~danchev/debian-iso/check_debian_iso

and run

  chmod u+x ./check_debian_iso
  ./check_debian_iso SHA512SUMS debian-9.8.0-amd64-netinst.iso

to get

  Piping 149504 blocks of 'debian-9.8.0-amd64-netinst.iso' through 'sha512sum'
  to verify checksum list item 'debian-9.8.0-amd64-netinst.iso'.
  149504+0 records in
  149504+0 records out
  306184192 bytes (306 MB) copied, 0.882765 s, 347 MB/s
  Ok: 'debian-9.8.0-amd64-netinst.iso' matches 'debian-9.8.0-amd64-netinst.iso' 
in 'SHA512SUMS'

Now let's see what happens if a single byte is altered in the .iso

  dd if=/dev/zero bs=1 count=1 conv=notrunc seek=511 
of=debian-9.8.0-amd64-netinst.iso

Now the proposed verifyier runs yield:

0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229
  debian-9.8.0-amd64-netinst.iso

which does obviously not match the line in SHA512SUMS, or

  debian-9.8.0-amd64-netinst.iso: FAILED
  ...

or

  ...
  Found: 
0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229
  Expected:  
cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771a7174538f3e26f45a05245
  MISMATCH: 'debian-9.8.0-amd64-netinst.iso' checksum differs from 
'debian-9.8.0-amd64-netinst.iso' in 'SHA512SUMS'

So you know that the checksumers really detect nearly all damages of
debian-9.8.0-amd64-netinst.iso.

--

@ Steve McIntyre (maintainer of debian-cd):

Do you agree with the instructions above ?

Is there a consolidated wiki page with such instructions which i failed
to find ? If not: shall we make such a page ?

Have a nice day :)

Thomas

Re: Verifying authenticity of Debian CDs

2019-04-05 Thread Lee

On 4/5/19, Chris XX <1swansb...@gmail.com> wrote:
> I was trying to Verify the authenticity of Debian CDs on your website, but
> I don't see instructions that will guide me through the process
> (step-by-step).
>
> Can you help and/or fix?
> Thanks, Chris
>
> P.S.  this was the site I got stuck on:
> https://www.debian.org/CD/verify
>
> There is a lot of information, but no clear guidence. For example, do I
> install Debian first then look somewhere for the *"fingerprints"*
>
> I don't understand the use of this tool: *"you should use the tools
> sha256sum or sha512sum to work with these."*

I'm the wrong person to explain verifying signatures, so I'll skip all
that & go with

- download the iso file
- download the SHA256SUM file
- compute the checksum of the downloaded file & compare to what's in
the SHA256SUM file.  If they match you've verified the download.

So let's pretend you started from
  https://cdimage.debian.org/debian-cd/current/i386/iso-cd/

and downloaded
  debian-9.8.0-i386-netinst.iso
You also need to download the SHA256SUMS file

If you're on Windows, compute the checksum by doing
  certutil -hashfile debian-9.8.0-i386-netinst.iso SHA256
and compare that to
  8156cc4ce7a06facf69d4f7161f89431a794cdaba8e2b4eb91b2c43a302e4614
(the checksum listed in the SHA256SUMS file)

If you're already on Debian you've got the sha256sum program, so do
  sha256sum debian-9.8.0-i386-netinst.iso
and compare the output to the checksum in SHA256SUMS file

Regards,
Lee

Verifying authenticity of Debian CDs

2019-04-05 Thread Chris XX

I was trying to Verify the authenticity of Debian CDs on your website, but
I don't see instructions that will guide me through the process
(step-by-step).

Can you help and/or fix?
Thanks, Chris

P.S.  this was the site I got stuck on:
https://www.debian.org/CD/verify

There is a lot of information, but no clear guidence. For example, do I
install Debian first then look somewhere for the *"fingerprints"*

I don't understand the use of this tool: *"you should use the tools
sha256sum or sha512sum to work with these."*

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Re: Verifying authenticity of Debian CDs

Verifying authenticity of Debian CDs

16 matches

Site Navigation

Mail list logo

Footer information