Cannot verify integrity of Woody

Sun, 16 Dec 2001 20:15:32 -0600 

I'm a Debian newbie preparing to make the jump from Red Hat and am
running into the following immediate obstacles.  I've downloaded some
files from http://ftp.us.debian.org/debian/dists/testing/.

    # gpg --verify Release.gpg
    gpg: no signed data
    gpg: can't hash datafile: file open error
    
Okay, let's rename Release.gpg:

    # mv Release.gpg Release.sig
    # gpg --verify Release.sig 
    gpg: Signature made Sun 16 Dec 2001 01:41:06 PM PST using DSA key ID
    B8AE9B77
    gpg: Can't check signature: public key not found
    
No key?  Let's try keyring.debian.org:

    # gpg --keyserver keyring.debian.org --verify Release.sig 
    gpg: Signature made Sun 16 Dec 2001 01:41:06 PM PST using DSA key ID
    B8AE9B77
    gpg: requesting key B8AE9B77 from keyring.debian.org ...
    gpg: no valid OpenPGP data found.
    gpg: Total number processed: 0
    gpg: Can't check signature: public key not found
    
How do I verify the validity of the signature without a key?  I can't
find a key anywhere on the Debian website.  A readme file next to the
Release.gpg file which explains where the key is (or isn't) would be
very helpful.

Moving on, let's presume for the moment that 
http://ftp.us.debian.org/debian/dists/testing/Release is genuine.  I see
it contains both MD5Sum and SHA1 hashes.  This is good, because MD5 has
been broken.  But how do I verify an SHA1 hash?  I don't know what I'm
expected to use.  A search on Freshmeat turns up shasum.  Okay, I
install shasum.

    # shasum -c Release
    
Here's an excerpt from its output:

   17658 main/disks-i386/current/md5sum.txt: No such file or directory

But the file is there:

    # ls main/disks-i386/current/md5sum.txt
    main/disks-i386/current/md5sum.txt
    
Alright, let's do it manually:

    # shasum main/disks-i386/current/md5sum.txt 
    3e3b7c8e849126da7095a93249946e6153ead8ec 
    main/disks-i386/current/md5sum.txt
    # grep main/disks-i386/current/md5sum.txt Release
     a7310d89b38926b676db36462e78d1d5            17658
    main/disks-i386/current/md5sum.txt
     926a4a4bda00d568f5e4df73b0bead421eeaceed    17658
    main/disks-i386/current/md5sum.txt
    
Oops!  They don't match!  Let's try md5sum just to make sure there's
nothing obviously wrong going on here:

    # md5sum main/disks-i386/current/md5sum.txt 
    a7310d89b38926b676db36462e78d1d5  main/disks-i386/current/md5sum.txt
    
That does match (but MD5 cannot be trusted).

So you see, I haven't gotten very far installing Woody.  :-(

What should I do?

Neologism

Reply via email to