Web lists-archives.com

Re: Verifying authenticity of Debian CDs

On 4/5/19, Chris XX <1swansboro@xxxxxxxxx> wrote:
> I was trying to Verify the authenticity of Debian CDs on your website, but
> I don't see instructions that will guide me through the process
> (step-by-step).
> Can you help and/or fix?
> Thanks, Chris
> P.S.  this was the site I got stuck on:
> https://www.debian.org/CD/verify
> There is a lot of information, but no clear guidence. For example, do I
> install Debian first then look somewhere for the *"fingerprints"*
> I don't understand the use of this tool: *"you should use the tools
> sha256sum or sha512sum to work with these."*

I'm the wrong person to explain verifying signatures, so I'll skip all
that & go with

- download the iso file
- download the SHA256SUM file
- compute the checksum of the downloaded file & compare to what's in
the SHA256SUM file.  If they match you've verified the download.

So let's pretend you started from

and downloaded
You also need to download the SHA256SUMS file

If you're on Windows, compute the checksum by doing
  certutil -hashfile debian-9.8.0-i386-netinst.iso SHA256
and compare that to
(the checksum listed in the SHA256SUMS file)

If you're already on Debian you've got the sha256sum program, so do
  sha256sum debian-9.8.0-i386-netinst.iso
and compare the output to the checksum in SHA256SUMS file