Web lists-archives.com

Verifying Debian 9.9 with SHA and SHA.signatures

Hello Debian support,

I'm quite new to open source, so learning lots, especially verifying os downloads. I can use the SHAs and SHAs.sign in various distros, but I hit a wall in Debian. I've read a lot on various Debian web pages like 'Verifying authenticity of Debian CDs', and scoured the 120 page Debian Jessie manual.


I understand I have to use the SHAs to check the iso image. and the .sign to check the checksums.

I've imported one gpg key from

gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F

But I've never found any terminal commands to use the checksums, or the signing key.
I've only managed to check the checksums in the Debian 9.9 iso, by doing it my Tails usb, by clicking on the properties of the iso, and then click on the 'Digests' feature. The SHA256SUMS and SHA512SUMS, are the same as the downloaded checksums.

Unless my sonar for commands is malfunctioning, I cannot find any! If my sonar is defunct, please tell me!

In comparison, this is how Ubuntu and Mint describe checking isos. Two different presentations, but a novice like me can have piece of mind, that the downloads are correct. I will not be complacent, by assuming that they are perfect. A few times they have not been.

Two years ago Ubuntu was very confusing, but now it's educational too. Follow the arrows to the right....


Mint explains everything on one page....


Question 1

Please could Debian create some extra documentation on using commands to verify Debian's isos' with SHAs and signatures?

Question 2

Is that a big ask for all the distros that Debian has available?

Being a Tails addict, I want to start using Debian.

Thank you in advance for any advice you have. I look forward to your replies.


Sent from ProtonMail, Swiss-based encrypted email.