Hi, Chris XX wrote: > I was trying to Verify the authenticity of Debian CDs on your website, but I > don't see instructions that will guide me through the process > (step-by-step).
(We are the users. But some Debian Developers are watching, too.) Obviously there is a gap between checksum file verification and .iso image verification. Let's first look at the files offered for download: https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/ has among others SHA512SUMS.sign SHA512SUMS debian-9.8.0-amd64-netinst.iso > https://www.debian.org/CD/verify This publishes the key "fingerprints" by which you can recognize authentic pairs of SHA512SUMS.sign and SHA512SUMS. It points to https://keyring.debian.org/ where you probably shall learn how to obtain the keys in question, namely by the shell commands gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D gpg --keyserver keyring.debian.org --recv-keys 6294BE9B gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3 Experienced users of gpg would know that one can check authenticity by gpg --verify SHA512SUMS.sign SHA512SUMS which should say something like gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B The reported fingerprint must be one of the published fingerprints, or else something is fishy. Here it is the Debian one of 2011-01-05. I.e. all is well so far. If you change some character in SHA512SUMS and run above command again then you will see gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID 6294BE9B gpg: BAD signature from "Debian CD signing key <debian...@lists.debian.org>" So you can trust the content of SHA512SUMS, if gpg --verify says it is good and if the key fingerprint matches one of the Debian fingerprints. Now you have to follow the tiny link "faq" at the bottom to https://www.debian.org/CD/faq/ where you hop to https://www.debian.org/CD/faq/#verify Between the lines you read that there is a text line in SHA512SUMS which shows the name of the .iso file which you actually want to verify: cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771ffffa7174538f3e26f45a05245 debian-9.8.0-amd64-netinst.iso More explicite is the hint to use program "sha512sum". A run of sha512sum debian-9.8.0-amd64-netinst.iso puts out cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771ffffa7174538f3e26f45a05245 debian-9.8.0-amd64-netinst.iso which you should compare with the line in SHA512SUMS. Alternatively you could run sha512sum --check SHA512SUMS 2>/dev/null to get debian-9.8.0-amd64-netinst.iso: OK debian-9.8.0-amd64-xfce-CD-1.iso: FAILED open or read debian-mac-9.8.0-amd64-netinst.iso: FAILED open or read Or you could download https://people.debian.org/~danchev/debian-iso/check_debian_iso and run chmod u+x ./check_debian_iso ./check_debian_iso SHA512SUMS debian-9.8.0-amd64-netinst.iso to get Piping 149504 blocks of 'debian-9.8.0-amd64-netinst.iso' through 'sha512sum' to verify checksum list item 'debian-9.8.0-amd64-netinst.iso'. 149504+0 records in 149504+0 records out 306184192 bytes (306 MB) copied, 0.882765 s, 347 MB/s Ok: 'debian-9.8.0-amd64-netinst.iso' matches 'debian-9.8.0-amd64-netinst.iso' in 'SHA512SUMS' Now let's see what happens if a single byte is altered in the .iso dd if=/dev/zero bs=1 count=1 conv=notrunc seek=511 of=debian-9.8.0-amd64-netinst.iso Now the proposed verifyier runs yield: 0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229 debian-9.8.0-amd64-netinst.iso which does obviously not match the line in SHA512SUMS, or debian-9.8.0-amd64-netinst.iso: FAILED ... or ... Found: 0b0a75b8a0c8dc05a4b43273e44d7b5e3b0ecec6d9b4e1c88a95d9c886cba5ae0dbeb4b7a5a3016106096a9071572b9a3d8b54dd91a50abce15f713fa22ff229 Expected: cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771ffffa7174538f3e26f45a05245 MISMATCH: 'debian-9.8.0-amd64-netinst.iso' checksum differs from 'debian-9.8.0-amd64-netinst.iso' in 'SHA512SUMS' So you know that the checksumers really detect nearly all damages of debian-9.8.0-amd64-netinst.iso. -------------------------------------------------------------------------- @ Steve McIntyre (maintainer of debian-cd): Do you agree with the instructions above ? Is there a consolidated wiki page with such instructions which i failed to find ? If not: shall we make such a page ? Have a nice day :) Thomas
