Hi, cybertat...@gmail.com wrote: > 2. How to check Debian Image Authentication? > Is checksum verification (sha216sum, sha512sum) enough?
Only if you are trusting the site from where you downloaded the ISO. In that case you'd use the checksums in the files SHA256SUMS and SHA512SUMS as mere control whether the download delivered what the server operators intended. > Should I verify with GPG? The signatures in the files SHA256SUMS.sign and SHA512SUMS.sign verify that the checksums in SHA256SUMS and SHA512SUMS are authorized by the Debian developers who are in charge of image production. Verify them by e.g. gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS and look out for the text, gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" ... Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B First occuruence of this fingerprint in my mailbox is Oct 10 2015. On https://www.debian.org/CD/verify there are two more valid keys published which would yield: gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" Primary key fingerprint: 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian...@lists.debian.org>" Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 Both have their first occurence in my mailbox at Feb 16 2020. If you see one of these texts, then you may assume the checksum files to be valid (or the fingerprints to be undetected falsifications since years). But if you see deviations in the fingerprint lines then this would be very suspicious. Have a nice day :) Thomas
