Package: www.debian.org Severity: normal Having just talked a user through the gpg verification steps for the CDs, I've got a few suggestions for the web page with the instructions on how to verify the CD contents:
1/ long key IDs: it would be good to include the long key id rather than the short key id. The long key id is present in the fingerprint but not in a form that can be copy/pasted into gpg --recv-keys for those not already on Debian systems. The necessary gpg options are --keyid-format long --with-fingerprint 2/ sort the keys: Putting the keys that are most needed at the top would be great. Something like: # current stable release CD key, current testing CD key, historical CD key for keyid in DA87E80D6294BE9B 42468F4009EA8AC3 988021A964E6EA7D; do gpg --list-keys --keyring /usr/share/keyrings/debian-role-keys.gpg \ --keyid-format long --with-fingerprint $keyid done Even better would be explanatory text in between each key describing *how* it was used so that users know which one they are supposed to be importing from the keyservers if they have to do that. The current text gives the impression of "here are some random keys that we might once have used"; while the text is accurate, it doesn't really instill confidence or help the user with concrete next steps. 3/ concerete examples Everyone knows how 'fun' the gpg CLI is to work with. A couple of concrete examples of how to verify the download using the debian-keyring and the key servers would be good. Something like: 1. Download the ISO image as well as the files SHA256SUM and SHA256SUM.sign files that are in the same directory. 2. On a Debian system, you can use your existing trust in the Debian Archive signing keys (in apt) to obtain the keys. # apt install debian-keyring $ sha256sum -c SHA256SUMS $ gpg --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA256SUMS.sign On non-Debian systems, you can first import the relevant key from the keyservers. $ gpg --recv-keys DA87E80D6294BE9B $ sha256sum -c SHA256SUMS $ gpg --verify SHA256SUMS.sign In both cases, gpg should show that this was a "Good signature" but gpg will also warn you that your keys do not have an explicit trust path to this signing key; this warning is normal and can be ignored since you have established a trust path to the key outside gpg that gpg doesn't know about (your trust is either via the debian-keyring package or thanks to manually checking the fingerprint of the key that is used against this web page). (Maybe these are already on the wiki somewhere... fragmenting the documentation across www.d.o and wiki.d.o doesn't help and there'salso no link to this informaiton; the use of the debian-keyring package might also be a problem since it doesn't tend to receive stable updates -- maybe it should?) 4/ where are the sums? Users consistently fail to find the SHA256SUM and SHA256SUM.sign files. The verify page could be more explicit about where to find the files.ยน (I've tried to be more explicit in the text above, not sure if that's enough.) cheers Stuart [1] the download pages have long vexed the www team and I have no great ideas how to actually make this better and further discussion lives in separate bugs. What we've seen is that if users actually use the download pages on www.debian.org then there are no links to the *SUM files anywhere and users must copy+paste URLs and then edit them. I'm loathe to suggest more links be added to the download pages though.