How to verify authenticity of downloaded Debian ISO images
This tutorial explains how to verify that your download is correct and exactly what has been created by Debian.
Last week the Debian team released the fourth update of its stable distribution Debian 9 (codename stretch), so I though to post here an updated version of my original blog post.
When you download an official release of Debian ISO image, you can use the signed checksum files that come with it to validate that the images you download are correct.
Basically you want to check two things:
- that the checksum file has not been tampered with, and
- that the ISO image checksum matches the one expected from the checksum file
Here I will explain to you how to do these checks by using sha512sum and gpg tools.
Download a Debian ISO image
First, you verify the authenticity of the actual SHA512SUMS checksum file which will be used to verify the content of the Debian ISO image.
Import Debian public key
Probably the Debian CD public key is not available on your system, so try first to verify the signature.
$ gpg --verify SHA512SUMS.sign gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Sun 18 Jun 2017 02:32:31 CEST using RSA key ID 6294BE9B gpg: Can't check signature: public key not found
If you see the message gpg: Good signature from "Debian CD signing key <email@example.com>"then you already have the Debian public key, otherwise you need to download it from the Debian keyring server.
From the output of the previous command command you can get the ID of the public key to import which in this case is 6294BE9B, so import the key with this command.
$ gpg --keyserver keyring.debian.org --recv 6294BE9B gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: key 6294BE9B: public key "Debian CD signing key <firstname.lastname@example.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2021-01-25 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Validate the checksum file
Now you can check that the checksum file has not been tampered by verifying the signature and it should be a good one.
$ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Sun 18 Jun 2017 02:32:31 CEST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
The last line show you the fingerprint of key used to sign the file, you can compare it with the ones listed at https://www.debian.org/CD/verify page, which includes a list of the fingerprints for the keys that have been used for Debian releases in recent years.
Verify ISO image content
Finally you can check that that the ISO image checksum matches the one expected from the checksum file, for use this command.
$ sha512sum -c SHA512SUMS 2>/dev/null | grep debian-live-9.4.0-amd64-gnome.iso debian-live-9.4.0-amd64-gnome.iso: OK
Now, you are ready to use your Debian.
This article is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
No one has reviewed this piece of content yet