On 13/12/13 13:15, Ralf Mardorf wrote: > You misunderstand me. > > If I've got a checksum from the iso, e.g. > > [rocketmouse@archlinux downloads]$ sha1sum > debian-7.2.0-i386-netinst.iso > c7050ae8ccda40456f6a1c4936ea8f170736b440 > debian-7.2.0-i386-netinst.iso > > where can I find a file with checksums to check/compare?
For the example you give. The iso comes from:- http://cdimage.debian.org/debian-cd/current/i386/iso-cd/debian-7.2.0-i386-netinst.iso Looking at the parent page:- http://cdimage.debian.org/debian-cd/current/i386/iso-cd/ The sums are listed on the same page. In this instance (SHA1) you'd want:- http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA1SUMS The relevant entry for that particular iso is:- c7050ae8ccda40456f6a1c4936ea8f170736b440 debian-7.2.0-i386-netinst.iso So in this instance you *know* that the cd is intact. Don't trust the sums? Why should you? Those sums are signed by the developers:- http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA1SUMS.sign $ gpg --output SHA1SUMS --verify SHA1SUMS.sign gpg: Signature made Mon 14 Oct 2013 08:18:52 EST using RSA key ID 6294BE9B gpg: Can't check signature: public key not found I then download the key matching that ID from a keyserver (Debian CD signing key (debian...@lists.debian.org) ID: 6294BE9B Fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B.). and see it's signed by a bunch of people (17). By checking their keys and the keys of some of the people who've signed their keys - I find I "trust" the CD signing key "by 2 degrees". The world really isn't that big after all! :) NOTE: if you don't know someone who signed Steve McIntyre's key you surely know someone who does know someone who did (or you've never left the house you were born in, ever). > > I need a source and don't know where the source is. > > If I download a key, I can decrypt a signed file including the > checksum, but where is that file? > > I can not find such a file inside the iso, Mount the iso (# mount -o loop $someISO $somewhere) and you'll see the file. (I posted the ls of a mounted CDROM earlier in this thread) > nor do I know a website to download such a file. Example provided above. > > Regards, Ralf > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52aa7d74.40...@gmail.com
