This tutorial explains how to verify that your download is correct and exactly what has been created by Debian.
Last week the Debian team released the fourth update of its stable distribution Debian 9 (codename stretch), so I though to post here an updated version of my original blog post.
When you download an official release of Debian ISO image, you can use the signed checksum files that come with it to validate that the images you download are correct.
Basically you want to check two things:
  • that the checksum file has not been tampered with, and
  • that the ISO image checksum matches the one expected from the checksum file
Here I will explain to you how to do these checks by using sha512sum and gpg tools.

Download a Debian ISO image

Download the ISO image and its signed checksum files from one of the registered mirrors, note that some mirrors may not be up to date, in this case you can use the primary CD image server.
First, you verify the authenticity of the actual SHA512SUMS checksum file which will be used to verify the content of the Debian ISO image.

Import Debian public key

Probably the Debian CD public key is not available on your system, so try first to verify the signature.
$ gpg --verify SHA512SUMS.sign gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Sun 18 Jun 2017 02:32:31 CEST using RSA key ID 6294BE9B gpg: Can't check signature: public key not found
If you see the message gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"then you already have the Debian public key, otherwise you need to download it from the Debian keyring server.
From the output of the previous command command you can get the ID of the public key to import which in this case is 6294BE9B, so import the key with this command.
$ gpg --keyserver keyring.debian.org --recv 6294BE9B gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2021-01-25 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)

Validate the checksum file

Now you can check that the checksum file has not been tampered by verifying the signature and it should be a good one.
$ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Sun 18 Jun 2017 02:32:31 CEST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
The last line show you the fingerprint of key used to sign the file, you can compare it with the ones listed at https://www.debian.org/CD/verify page, which includes a list of the fingerprints for the keys that have been used for Debian releases in recent years.

Verify ISO image content

Finally you can check that that the ISO image checksum matches the one expected from the checksum file, for use this command.
$ sha512sum -c SHA512SUMS 2>/dev/null | grep debian-live-9.4.0-amd64-gnome.iso debian-live-9.4.0-amd64-gnome.iso: OK
Now, you are ready to use your Debian.
Danilo


 

25.0¢
0.0¢

No one has reviewed this piece of content yet
Comments
  earned 0.0¢
This post is misleading.
You extract the public key from the signature and the you import that key, this is not how it should be done.
If can not verify the signature trough your web of trust the next best way is to check where the Debian CD team published the private key. The are published here https://www.debian.org/CD/verify. You should import this and go on to validate and verify.
0.0¢
   4mo ago
  earned 0.0¢
@kocj
No, you don't have to import Debian CD Team's private keys and the Debian page https://www.debian.org/CD/verify does not publish the private keys (hopefully they'll never do), what we need is their public keys to verify the files.
What they publish in that page are the fingerprints of the public keys which we check by visually comparing their fingerprint with the output of our command, the line that says "Primary key fingerprint: DF9B ...". The problem is that we don't know which public key of the 3 listed in that page is the one they used to sign the file, so the first command `gpg --verify SHA512SUMS.sign` it helps us to identify it then we will import it from keyring.debian.org as explained in the Debian GPG keyring https://keyring.debian.org/.
Thanks for your feedback, I hope this clears things up.

0.0¢
   4mo ago