Package: www.debian.org
Severity: normal
Having just talked a user through the gpg verification steps for the CDs,
I've got a few suggestions for the web page with the instructions on how
to verify the CD contents:
1/ long key IDs:
it would be good to include the long key id rather than the short key id. The
long key id is present in the fingerprint but not in a form that can be
copy/pasted into gpg --recv-keys for those not already on Debian systems. The
necessary gpg options are
--keyid-format long --with-fingerprint
2/ sort the keys:
Putting the keys that are most needed at the top would be great. Something
like:
# current stable release CD key, current testing CD key, historical CD key
for keyid in DA87E80D6294BE9B 42468F4009EA8AC3 988021A964E6EA7D; do
gpg --list-keys --keyring /usr/share/keyrings/debian-role-keys.gpg \
--keyid-format long --with-fingerprint $keyid
done
Even better would be explanatory text in between each key describing *how*
it was used so that users know which one they are supposed to be importing
from the keyservers if they have to do that. The current text gives the
impression of "here are some random keys that we might once have used";
while the text is accurate, it doesn't really instill confidence or help
the user with concrete next steps.
3/ concerete examples
Everyone knows how 'fun' the gpg CLI is to work with. A couple of concrete
examples of how to verify the download using the debian-keyring and the key
servers would be good. Something like:
1. Download the ISO image as well as the files SHA256SUM and SHA256SUM.sign
files that are in the same directory.
2. On a Debian system, you can use your existing trust in the Debian Archive
signing keys (in apt) to obtain the keys.
# apt install debian-keyring
$ sha256sum -c SHA256SUMS
$ gpg --keyring /usr/share/keyrings/debian-role-keys.gpg --verify
SHA256SUMS.sign
On non-Debian systems, you can first import the relevant key from the
keyservers.
$ gpg --recv-keys DA87E80D6294BE9B
$ sha256sum -c SHA256SUMS
$ gpg --verify SHA256SUMS.sign
In both cases, gpg should show that this was a "Good signature" but gpg
will also warn you that your keys do not have an explicit trust path
to this signing key; this warning is normal and can be ignored since
you have established a trust path to the key outside gpg that gpg doesn't
know about (your trust is either via the debian-keyring package or thanks
to manually checking the fingerprint of the key that is used against this
web page).
(Maybe these are already on the wiki somewhere... fragmenting the
documentation across www.d.o and wiki.d.o doesn't help and there'salso
no link to this informaiton; the use of the debian-keyring package might
also be a problem since it doesn't tend to receive stable updates -- maybe
it should?)
4/ where are the sums?
Users consistently fail to find the SHA256SUM and SHA256SUM.sign files. The
verify page could be more explicit about where to find the files.ยน (I've
tried to be more explicit in the text above, not sure if that's enough.)
cheers
Stuart
[1] the download pages have long vexed the www team and I have no great
ideas how to actually make this better and further discussion lives in
separate bugs. What we've seen is that if users actually use the download
pages on www.debian.org then there are no links to the *SUM files anywhere and
users must copy+paste URLs and then edit them. I'm loathe to suggest more
links be added to the download pages though.
