Hi Laurențiu On Mon, Apr 20, 2020 at 06:38:48PM +0200, Laurențiu Păncescu wrote: >Hello, > >I'm trying to put a preseed file on the same USB stick as the installation, >using hd-media/boot.img.gz is easier than remastering the iso. It works, but >there seems not to be any signed checksum file for these images and they are >served only over http: > >http://http.us.debian.org/debian/dists/buster/main/installer-amd64/current/images/ > >How can I check if these images are authentic? I guess I could mount a signed >CD iso like netinst, copy vmlinuz and initrd from there and create my own USB >stick with syslinux - is there a better way?
There are checksums for these in the archive (dists/buster/main/installer-amd64/current/images/SHA256SUMS etc.) and those files are themselves checksummed in the top-level buster Release file, and that's signed by Release.gpg (or via InRelease if you prefer that route). Yes, it's not very obvious... -- Steve McIntyre, Cambridge, UK. st...@einval.com "I used to be the first kid on the block wanting a cranial implant, now I want to be the first with a cranial firewall. " -- Charlie Stross
