Web lists-archives.com

Re: Verifying authenticity of Debian CDs




On 4/5/19, Chris XX <1swansboro@xxxxxxxxx> wrote:
> I was trying to Verify the authenticity of Debian CDs on your website, but
> I don't see instructions that will guide me through the process
> (step-by-step).
>
> Can you help and/or fix?
> Thanks, Chris
>
> P.S.  this was the site I got stuck on:
> https://www.debian.org/CD/verify
>
> There is a lot of information, but no clear guidence. For example, do I
> install Debian first then look somewhere for the *"fingerprints"*
>
> I don't understand the use of this tool: *"you should use the tools
> sha256sum or sha512sum to work with these."*

I'm the wrong person to explain verifying signatures, so I'll skip all
that & go with

- download the iso file
- download the SHA256SUM file
- compute the checksum of the downloaded file & compare to what's in
the SHA256SUM file.  If they match you've verified the download.

So let's pretend you started from
  https://cdimage.debian.org/debian-cd/current/i386/iso-cd/

and downloaded
  debian-9.8.0-i386-netinst.iso
You also need to download the SHA256SUMS file

If you're on Windows, compute the checksum by doing
  certutil -hashfile debian-9.8.0-i386-netinst.iso SHA256
and compare that to
  8156cc4ce7a06facf69d4f7161f89431a794cdaba8e2b4eb91b2c43a302e4614
(the checksum listed in the SHA256SUMS file)

If you're already on Debian you've got the sha256sum program, so do
  sha256sum debian-9.8.0-i386-netinst.iso
and compare the output to the checksum in SHA256SUMS file

Regards,
Lee