Hello Debian support,
I'm quite new to open source, so learning lots, especially verifying os
downloads. I can use the SHAs and SHAs.sign in various distros, but I hit a
wall in Debian. I've read a lot on various Debian web pages like 'Verifying
authenticity of Debian CDs', and scoured the 120 page Debian Jessie manual.
https://www.debian.org/CD/verify
I understand I have to use the SHAs to check the iso image. and the .sign to
check the checksums.
I've imported one gpg key from
gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F
But I've never found any terminal commands to use the checksums, or the signing
key.
I've only managed to check the checksums in the Debian 9.9 iso, by doing it my
Tails usb, by clicking on the properties of the iso, and then click on the
'Digests' feature. The SHA256SUMS and SHA512SUMS, are the same as the
downloaded checksums.
Unless my sonar for commands is malfunctioning, I cannot find any! If my sonar
is defunct, please tell me!
In comparison, this is how Ubuntu and Mint describe checking isos. Two
different presentations, but a novice like me can have piece of mind, that the
downloads are correct. I will not be complacent, by assuming that they are
perfect. A few times they have not been.
Two years ago Ubuntu was very confusing, but now it's educational too. Follow
the arrows to the right
https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#1
Mint explains everything on one page
https://linuxmint.com/verify.php
Question 1
Please could Debian create some extra documentation on using commands to verify
Debian's isos' with SHAs and signatures?
Question 2
Is that a big ask for all the distros that Debian has available?
Being a Tails addict, I want to start using Debian.
Thank you in advance for any advice you have. I look forward to your replies.
Stefan
Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.