Hi,
On 02/09/24 at 22:32, Thomas Schmitt wrote:
Hi,
Franco Martelli wrote:
What you wrote in that section it's so searched/wanted by newcomers that
it's a pity that it's published as a section into "XorrisoDdTarget".
Actually it is not the first time that i felt the urge to describe the
SHA and PGP verification:
https://wiki.debian.org/JigdoOnLive#Verify_the_Debian_Live_download
consider to move that to a new wiki page with a title that
sounds like: "Verify authenticity of a Debian downloaded ISO image".
I'm not against that idea.
You could even get a wiki account
https://wiki.debian.org/DebianWiki/EditorQuickStart#Account
and do it on your own.
I've already an account on the Debian wiki, but I never created a new
page, so for me it is a new things to do, probably I'd have to
experiment a lot.
But i think there are some issues to address:
- How to generally advertise this page ?
- How to name it ?
- How to address all the stuff which is in
https://www.debian.org/CD/faq/#verify
and to which i pointed only briefly ?
I think it is not good to send readers around in the web.
Much better i'd like it all in one text (wearing my noob hat).
Max has already answered properly in the previous post and I agree with him.
So wouldn't it be better to start a petition at debian-cd mailing list
for an augmented https://www.debian.org/CD/faq/#verify ?
To my mind comes:
- Mention "USB keys" already in the section title.
- Replace "Detailed information ... authenticity verification page."
by the last part of my new section: "PGP verification ...".
(The current authenticity verification page is unsuitable for noobs.)
I'd prefer a wiki page, so users can easily changing/updating it and
fill it of useful information.
- Add an example like
$ grep -F debian-12.7.0-amd64-netinst.iso SHA512SUMS | sha512sum -c -
debian-12.7.0-amd64-netinst.iso: OK
$
to "Checksums of the downloaded ... "sha256sum"."
(We don't want to show deprecated "fgrep" to noobs. Of course i
continue to use it at home.)
The commandline I use it's:
~$ sha512sum --ignore-missing -c SHA512SUMS
no need to use "grep", since the "sha512sum" command looks for in the
current working directory the files listed in SHA512SUMS and it
calculates the checksum automatically.
- Add a new section about /md5sum.txt of the ISO.
"How to find the altered files in case of no match"
Derived from my text
"If the verification attempt yields a non-matching checksum ...
- Augment
" $ dd if=<device> count=<sector count> bs=<sector size> | sha512sum
* The computed checksum is to be compared ... SHA256SUMS, etc)."
By an example how to compare the computed checksum with the one in
the SHA512SUMS file.
I currently can only propose
$ grep -F $(dd if=/dev/sdc count=323072 bs=2048 2>/dev/null | \
sha512sum | awk '{print $1}') SHA512SUMS \
|| echo "NO MATCH !"
which would yield
e0bd9ba03084a6fd42413b425a2d20e3731678a31fe5fb2cc84f79332129afca2ad4ec897b4224d6a833afaf28a5d938b0fe5d680983182944162c6825b135ce
debian-12.7.0-amd64-netinst.iso
or
NO MATCH !
But the command and the positive answer are quite ugly.
(I could get "OK. MATCH." by "if ... then ... else ... fi" which would
be a nice script but an extra ugly command line.)
Ideas for a more elegant way would be appreciated.
Is it really necessary to verify the data written on the device?
Wouldn't it be better to focuses on verify correctness and authenticity
of a downloaded ISO? Wouldn't that be enough? In which circumstances is
it necessary?
Thanks
--
Franco Martelli
