Hi Thomas, Here's some feedback while looking at things from 10,000 feet. There are several problems with processes and documentation.
On Wed, Nov 16, 2022 at 3:14 AM Thomas Schmitt <scdbac...@gmx.net> wrote: > > Thomas George wrote: > > I am going to erase every thing I have done and start over. > > There's no need for starting over. The SHA512SUM file is meanwhile > authenticated by your run of: > > > > gpg2 --verify SHA512SUMS.sign SHA512SUMS > > > [...] > > > gpg: Good signature from "Debian CD signing key > > > <debian...@lists.debian.org>" [unknown] > > > [...] > > > ...gpg: WARNING: This key is not certified with a trusted signature! > > > ......There is no indication that the signature belongs to the owner > > > ...Primary key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B > > The warning is normal with the Debian keys and can be ignored. This is a security usability problem. How is a non-expert to know that this warning can be ignored, while others must be tended to? (The answer is, the non-expert does not know. The system needs to be fixed to accommodate the user. The user should not have to accomodate the system). > Important is the key fingerprint, which is published on > https://www.debian.org/CD/verify >From the page: To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. SHA512SUMS.sign). The page does not provide a prescriptive recipe on how to do what it says to do. The documentation should include a prescriptive recipe. A prescriptive recipe lays out the exact steps a user should perform, similar to what you're doing in this email. > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > > I would leave it to copy+paste and the computer to compare the strings. > Remove the blanks from the published number: > > echo "DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B" | sed -e 's/ //g' Something needs to be fixed here. The user should be able to use that string as presented. I don't know where the problem lies (GnuPG maybe?), but whatever verifies the signature should consume that representation since it is a common representation. > which will respond by > > DF9B9C49EAA9298432589D76DA87E80D6294BE9B > > Copy+paste the result and the string reported by gpg --verify to a > comparison command: > > test DF9B9C49EAA9298432589D76DA87E80D6294BE9B = > DF9B9C49EAA9298432589D76DA87E80D6294BE9B && echo MATCH > > which responds by > > MATCH > > ---------------------------------------------------------------------- > > So now you only have to verify the SHA512 checksum of the ISO by > > sha512sum -c SHA515SUMS > > and watching out for the response > > debian-11.5.0-amd64-netinst.iso: OK One last thought... https://www.debian.org/CD/verify should probably be moved to the wiki. The page would already be updated if the world could edit it. (I can say that as a fact since I would have already modified it). As a static web page, it is bit-rotting because only the Debian webmaster can edit it. Jeff
