Web lists-archives.com

Re: Verifying authenticity of Debian CDs




On 4/11/2019 6:35 PM, Default User wrote:
> On Fri, Apr 5, 2019, 18:06 Thomas Schmitt <scdbackup@xxxxxxx> wrote:
>
>> Hi,
>>
>> Chris XX wrote:
>>> I was trying to Verify the authenticity of Debian CDs on your website,
>> but I
>>> don't see instructions that will guide me through the process
>>> (step-by-step).
>>
>> (We are the users. But some Debian Developers are watching, too.)
>>
>> Obviously there is a gap between checksum file verification and .iso image
>> verification.
>>
>> Let's first look at the files offered for download:
>>   https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
>> has among others
>>
>>   SHA512SUMS.sign
>>   SHA512SUMS
>>   debian-9.8.0-amd64-netinst.iso
>>
>>> https://www.debian.org/CD/verify
>>
>> This publishes the key "fingerprints" by which you can recognize authentic
>> pairs of SHA512SUMS.sign and SHA512SUMS.
>>
>> It points to
>>   https://keyring.debian.org/
>> where you probably shall learn how to obtain the keys in question,
>> namely by the shell commands
>>
>>   gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
>>   gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>>   gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3
>>
>> Experienced users of gpg would know that one can check authenticity by
>>
>>   gpg --verify SHA512SUMS.sign SHA512SUMS
>>
>> which should say something like
>>
>>   gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID
>> 6294BE9B
>>   gpg: Good signature from "Debian CD signing key <
>> debian-cd@xxxxxxxxxxxxxxxx>"
>>   gpg: WARNING: This key is not certified with a trusted signature!
>>   gpg:          There is no indication that the signature belongs to the
>> owner.
>>   Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294
>> BE9B
>>
>> The reported fingerprint must be one of the published fingerprints,
>> or else something is fishy.
>> Here it is the Debian one of 2011-01-05. I.e. all is well so far.
>>
>> If you change some character in SHA512SUMS and run above command again
>> then you will see
>>
>>   gpg: Signature made Sun 17 Feb 2019 04:10:30 PM CET using RSA key ID
>> 6294BE9B
>>   gpg: BAD signature from "Debian CD signing key <
>> debian-cd@xxxxxxxxxxxxxxxx>"
>>
>>
>> So you can trust the content of SHA512SUMS, if gpg --verify says it is
>> good and if the key fingerprint matches one of the Debian fingerprints.
>>
>> Now you have to follow the tiny link "faq" at the bottom to
>>   https://www.debian.org/CD/faq/
>> where you hop to
>>   https://www.debian.org/CD/faq/#verify
>>
>> Between the lines you read that there is a text line in SHA512SUMS which
>> shows the name of the .iso file which you actually want to verify:
>>
>>
>> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771ffffa7174538f3e26f45a05245
>> debian-9.8.0-amd64-netinst.iso
>>
>> More explicite is the hint to use program "sha512sum". A run of
>>
>>   sha512sum debian-9.8.0-amd64-netinst.iso
>>
>> puts out
>>
>>
>> cc4a6bd50925c1c4af98049060e304494bc9da61eb5eb272c556d67608de14d4e6a4b8bc1c9412a0f810083912e228569f3771ffffa7174538f3e26f45a05245
>> debian-9.8.0-amd64-netinst.iso
>>
>> which you should compare with the line in SHA512SUMS.
>>
>> Alternatively you could run
>>
>>   sha512sum --check SHA512SUMS 2>/dev/null
>>
The STDERR redirection to the null device could be avoided by using
'--ignore-missing'.

$ sha512sum -c --ignore-missing <CHECKSUM-FILE>

The '--strict' option could also be used.


"The following five options are useful only when verifying checksums:
...
      --ignore-missing  don't fail or report status for missing files
...
      --strict         exit non-zero for improperly formatted checksum lines
..."

--
John Doe