Bug#975331: release-notes: Installation guide: No instructions for verifying image integrity after download

Holger Wansing Fri, 20 Nov 2020 16:35:04 -0800

Control: retitle -1 Installation guide: No instructions for verifying image 
integrity after download
Control: tags -1 + patch



xloem <0xl...@gmail.com> wrote:
> Package: release-notes
> Severity: important
> X-Debbugs-Cc: 0xl...@gmail.com
> 
> Dear Maintainer,
> 
> I'm pursuing installing Debian using the netboot concatenatable SD card images
> in debian/dists/bullseye/main/installer-arm64/current/images/ , and I found it
> seems very hard to verify their signatures.
> 
> I checked on irc in #debian and was referred to the documentation, but we
> discovered that instructions for this are missing from
> https://www.debian.org/releases/stable/arm64/ch04s02.en.html .
> 
> I was referred to the internals of a source package to find tools to 
> accomplish
> this very basic task.
> 
> It is important to provide a reasonable way to verify the integrity of
> installation media.

I have prepared a patch, to add a small chapter on this topic to the guide
(and correct a misleading phrase in chapter 4.2).

Patch attached.


Holger


-- 
Holger Wansing <hwans...@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

>From 324f1597f64ad1badc2c468f964ec06ec7e38740 Mon Sep 17 00:00:00 2001
From: Holger Wansing <hwans...@mailbox.org>
Date: Fri, 20 Nov 2020 21:24:23 +0100
Subject: [PATCH] Add chapter about verifying integrity of installation files

---
 build/templates/docstruct.ent            |  1 +
 en/install-methods/downloading-files.xml |  4 +-
 en/install-methods/install-methods.xml   |  1 +
 en/install-methods/verifying-files.xml   | 70 ++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 en/install-methods/verifying-files.xml

diff --git a/build/templates/docstruct.ent b/build/templates/docstruct.ent
index 112c7881b..dd3e8d273 100644
--- a/build/templates/docstruct.ent
+++ b/build/templates/docstruct.ent
@@ -71,6 +71,7 @@
    <!ENTITY tftp-bootp.xml        SYSTEM "##SRCPATH##/install-methods/tftp/bootp.xml">
    <!ENTITY tftp-dhcp.xml         SYSTEM "##SRCPATH##/install-methods//tftp/dhcp.xml">
   <!ENTITY automatic-install.xml    SYSTEM "##SRCPATH##/install-methods/automatic-install.xml">
+  <!ENTITY verifying-files.xml    SYSTEM "##SRCPATH##/install-methods/verifying-files.xml">
 
 
  <!ENTITY boot-installer.xml      SYSTEM "##SRCPATH##/boot-installer/boot-installer.xml">
diff --git a/en/install-methods/downloading-files.xml b/en/install-methods/downloading-files.xml
index ad67f8f16..5ecd45eca 100644
--- a/en/install-methods/downloading-files.xml
+++ b/en/install-methods/downloading-files.xml
@@ -12,10 +12,10 @@ To find the nearest (and thus probably the fastest) mirror, see the
 </para>
 
   <sect2 id="where-files">
-  <title>Where to Find Installation Images</title>
+  <title>Where to Find Installation Files</title>
 
 <para>
-The installation images are located on each &debian; mirror in the directory
+Various installation files can be found on each &debian; mirror in the directory
 <ulink url="&url-debian-installer;images">debian/dists/&releasename;/main/installer-&architecture;/current/images/</ulink>
 &mdash; the <ulink url="&url-debian-installer;images/MANIFEST">MANIFEST</ulink>
 lists each image and its purpose.
diff --git a/en/install-methods/install-methods.xml b/en/install-methods/install-methods.xml
index 5b4710eac..e387fcb3e 100644
--- a/en/install-methods/install-methods.xml
+++ b/en/install-methods/install-methods.xml
@@ -10,5 +10,6 @@
 &boot-drive-files.xml;
 &install-tftp.xml;
 &automatic-install.xml;
+&verifying-files.xml;
 
 </chapter>
diff --git a/en/install-methods/verifying-files.xml b/en/install-methods/verifying-files.xml
new file mode 100644
index 000000000..29ff01e4d
--- /dev/null
+++ b/en/install-methods/verifying-files.xml
@@ -0,0 +1,70 @@
+<!-- retain these comments for translator revision tracking -->
+<!-- $Id$ -->
+
+ <sect1 id="verifying-files">
+ <title>Verifying the integrity of installation files</title>
+
+<para>
+
+You can verify the integrity of downloaded files against checksums
+provided in <filename>SHA256SUMS</filename> or <filename>SHA512SUMS</filename>
+files on Debian mirrors. 
+Look at the following locations, to find those checksum files:
+
+</para>
+
+<itemizedlist>
+<listitem><para>
+
+<ulink url="https://cdimage.debian.org/debian-cd/current/&architecture;/iso-cd/";>checksum
+files for CD images</ulink>,
+
+</para></listitem>
+<listitem><para>
+
+<ulink url="https://cdimage.debian.org/debian-cd/current/&architecture;/iso-dvd/";>checksum
+files for DVD images</ulink>,
+
+</para></listitem>
+<listitem><para>
+
+<ulink url="https://cdimage.debian.org/debian-cd/current/&architecture;/iso-bd/";>checksum
+files for BD images</ulink>,
+
+</para></listitem>
+<listitem><para>
+
+<ulink url="http://http.us.debian.org/debian/dists/&releasename;/main/installer-&architecture;/current/images/";>checksum
+files for other installation files</ulink>.
+
+</para></listitem>
+</itemizedlist>
+
+<para>
+
+To compute the checksum of a downloaded installation file, use
+
+<informalexample><screen>
+sha256sum filename.iso
+</screen></informalexample>
+
+respective
+
+<informalexample><screen>
+sha512sum filename.iso
+</screen></informalexample>
+
+and then compare the shown checksum against the corresponding one in the
+<filename>SHA256SUMS</filename> or <filename>SHA512SUMS</filename> file.
+
+</para><para>
+
+The <ulink url="&url-debian-cd-faq;">Debian CD FAQ</ulink> has
+<ulink url="https://www.debian.org/CD/faq/index.en.html#verify";>more useful information</ulink>
+on this topic (such as the script <filename>check_debian_iso</filename>, to semi-automate
+above procedure).
+
+
+</para>
+
+ </sect1>
-- 
2.20.1

Bug#975331: release-notes: Installation guide: No instructions for verifying image integrity after download

Reply via email to