Thank you all for your answers. 1. But I mean subscriptions like this "debian-user":) But I really like your answers about Debian's freedom. I think it is useful information. Thanks. 2. I just have verified GPG's keys manually: https://keyring.debian.org/ 2.1. I have downloaded SHA512 SUMS.sign SHA512SUMS from https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/ 2.2. I have done then: gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS 2.3. Then I have got next info: Signed was made in 30 june 2024 And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B I have compared 2011 's key and mine and they are the same. But is it a good idea to do that? Or do I need to download the open key and then compare them? And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do the same actions with SHA216SUMS.sign and SHA216SUMS?
On Mon, Jul 8, 2024 at 11:00 PM Thomas Schmitt <scdbac...@gmx.net> wrote: > Hi, > > cybertat...@gmail.com wrote: > > 2. How to check Debian Image Authentication? > > Is checksum verification (sha216sum, sha512sum) enough? > > Only if you are trusting the site from where you downloaded the ISO. > In that case you'd use the checksums in the files SHA256SUMS and > SHA512SUMS as mere control whether the download delivered what the server > operators intended. > > > > Should I verify with GPG? > > The signatures in the files SHA256SUMS.sign and SHA512SUMS.sign verify that > the checksums in SHA256SUMS and SHA512SUMS are authorized by the Debian > developers who are in charge of image production. > > Verify them by e.g. > > gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS > > and look out for the text, > > gpg: Good signature from "Debian CD signing key < > debian...@lists.debian.org>" > ... > Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 > BE9B > > First occuruence of this fingerprint in my mailbox is Oct 10 2015. > > On > https://www.debian.org/CD/verify > there are two more valid keys published which would yield: > > gpg: Good signature from "Debian CD signing key < > debian...@lists.debian.org>" > Primary key fingerprint: 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 > EA7D > > gpg: Good signature from "Debian Testing CDs Automatic Signing Key < > debian...@lists.debian.org>" > Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA > 8AC3 > > Both have their first occurence in my mailbox at Feb 16 2020. > > If you see one of these texts, then you may assume the checksum files to > be valid (or the fingerprints to be undetected falsifications since years). > But if you see deviations in the fingerprint lines then this would be very > suspicious. > > > Have a nice day :) > > Thomas > >
