Hi, > There are MD5 and SHA sums in that same directory. However I can only access > those checksums through unencrypted connections. Therefore they cannot be > used to check against 3rd party tampering.
The chain of trust begins by the public keys as decribed at https://www.debian.org/CD/verify https://keyring.debian.org/ which you use to verify the checksum file http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.5.0-live+nonfree/amd64/iso-hybrid/SHA512SUMS by its signature file http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.5.0-live+nonfree/amd64/iso-hybrid/SHA512SUMS.sign Then you can use the SHA512 sum of debian-live-8.5.0-amd64-cinnamon-desktop+nonfree.iso to verify the downloaded ISO image. Currently i am riddling about the exact command to get the necessary GPG keys. On my Debian 8 installation $ gpg --verify SHA512SUMS.sign SHA512SUMS knows that Debian LiveCD 8.3 SHA512SUMS.sign was created by gpg: Signature made Thu 28 Jan 2016 02:07:19 AM CET using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" So i probably got the key by gpg --keyserver keyring.debian.org --recv-keys 6294BE9B Have a nice day :) Thomas
