13

I recently downloaded Debian 7.5.0 Wheezy and managed to use the Release.sig signature to verify the integrity of the Release checksum file using GPG4Win. Unfortunately, I couldn't find any advice on where to find the md5/SHA1/SHA256 checksum inside the Release file to verify that the ISO is correct/hasn't been corrupted/manipulated. Couldn't find any help regarding this specific problem on the support sites either. I am using Windows 7 if this is relevant.

Edit: The name of my ISO file is "debian-7.5.0-amd64-netinst". Other versions can be found here (ftp://cdimage.debian.org/cdimage/release/7.5.0-live/amd64/iso-hybrid/) and offer an easier way to verify the integrity because of this file: ftp://cdimage.debian.org/cdimage/release/7.5.0-live/amd64/iso-hybrid/SHA256SUMS. I need to find something like this in the Release file I verified.

peterh
  • 9,488
  • 16
  • 59
  • 88
user295031
  • 131
  • 1
  • 2
  • 5
  • Is there anybody who can help me with this? As this seems to be a very complicated way of verifying the integrity, I'm hoping for someone with more experience than I have to answer this question. – user295031 Jun 23 '14 at 14:39
  • What is the directory from which you downloaded your file? Personally, I would not worry abou tchecking the integity of that file. If there is something wrong with it, that will be apparent pdq. – Faheem Mitha Jun 23 '14 at 15:35
  • It is from the official site. My version is amd64: https://www.debian.org/distrib/netinst – user295031 Jun 23 '14 at 18:10
  • 2
    @FaheemMitha, if he is deploying a mission-critical system, then integrity checking is a must. I'm a bit paranoid, so it is routine for me even for non-critical systems. – psimon Jun 23 '14 at 18:22
  • Btw you can even use the installer's built in integrity checker. But only after you've verified it with MD5 before burning. – psimon Jun 23 '14 at 18:28
  • I'd like to check the integrity using the ISO file that I have already verified using the PGP signature. Just so that I know how it works. – user295031 Jun 25 '14 at 20:14

2 Answers2

10

You need to verify that the hash matches the downloaded image, and then verify that the hash was signed by an official Debian key - as explained in this blog post.

  1. Download your CD image, a SHA 512 hash, and the hash signature. It doesn't matter where you get them from, because of the signature that we'll verify below. But you can get it from debian.org.

  2. Verify that the hash matches the image (neither of these commands should print anything):

    $ sha512sum debian-8.3.0-amd64-i386-netinst.iso > my_hash.txt
$ diff -q my_hash.txt SHA512SUMS.txt

  3. Verify the hash is properly signed. You'll probably have to do it twice: once to get the key ID, and again after you have downloaded the public key. The command output should look a lot like this:

    $ gpg --verify SHA512SUMS.sign.txt SHA512SUMS.txt
gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
$ gpg --keyserver keyring.debian.org --recv 6294BE9B
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ gpg --verify SHA512SUMS.sign.txt SHA512SUMS.txt
gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

  4. Verify that the key fingerprint (the last printed line) is legitimate. Ideally, you should do this via a web of trust. However you can check the key fingerprint against the keys listed on Debian's secure web site (HTTPS).

z0r
  • 255
  • 2
  • 8
  • 1
    Very helpful. Respectfully suggest you add a step between your current steps 1 and 2, to read something like: **"Copy the relevant line from the SHA 512 hash (if said file has more than one line) and paste same to a new text file, named SHA512SUMS.txt."** Next, in your `$ gpg --verify SHA512SUMS.sign.txt SHA512SUMS.txt` step, suggest you change the reference to the `SHA512SUMS.txt` file such that it references the _originally downloaded, unchanged_ hash file (the one with _all_ of the original data). Said suggested changes would have prevented me from going down a deep, dark rabbit hole... – Digger Jun 28 '18 at 18:20
  • In step 2, what's the purpose of doing it the way you've written versus `sha512sum -c SHA512SUMS.txt`? – cdhowie Sep 06 '19 at 19:35
  • @cdhowie no reason. Your way is better; feel free to edit it – z0r Sep 07 '19 at 01:01
  • In addition to removing other sha512sums for SHA512SUMS.txt in step 2, step 3 doesn't work: it shows `using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B` `gpg: Can't check signature: No public key`. How to import the key? When I replace `6294BE9B` with that longer Id I just get `gpg: keyserver receive failed: Connection timed out`. Also why doesn't [this page](https://www.debian.org/CD/verify) simply precisely list all the commands needed? – mYnDstrEAm Jun 15 '23 at 09:54
  • I could import they key with this: `gpg --keyserver hkps://keyring.debian.org --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B`. If one needs to open some specific port in the nftables firewall for the other commands to work this info needs to get added! Step 4 also means checking this fingerprint against the fingerprint in your answer. – mYnDstrEAm Jun 15 '23 at 10:09
4

Look at http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/

The netinst ISO is at http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-7.5.0-amd64-netinst.iso.

You can find the md5sum in http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/MD5SUMS.

The relevant line is:

8fdb6715228ea90faba58cb84644d296  debian-7.5.0-amd64-netinst.iso
Faheem Mitha
  • 34,649
  • 32
  • 119
  • 183