After installing Debian

I would suggest never listen to youtube videos. all it is, is somebody that may or may NOT know what they are talking about, you have no idea which it is. Take what they say and do what you are doing here, ask. Investigate things yourself and don't just believe what some random youtuber says.
 


Here is procedure from my notes:

Markdown (GitHub flavored):
# Verify downloaded debian ISO integrity

Procedure to verify authenticity of downloaded Debian ISO image

## Table of Contents

- [Verify downloaded debian ISO integrity](#verify-downloaded-debian-iso-integrity)
  - [Table of Contents](#table-of-contents)
  - [Download debian and checksums](#download-debian-and-checksums)
  - [Verify checksum](#verify-checksum)
  - [Verify authenticity of checksums](#verify-authenticity-of-checksums)
    - [The list of public keys to download](#the-list-of-public-keys-to-download)
    - [Download public key(s) used to sign cheksums](#download-public-keys-used-to-sign-cheksums)
    - [Verify signature of the checksum file](#verify-signature-of-the-checksum-file)
  - [Check the CD-ROM integrity](#check-the-cd-rom-integrity)
  - [Reference](#reference)

## Download debian and checksums

Download debian ISO including checksums for that ISO:

Netinst ISO:

[Debian ISO CD's](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/)

Live ISO:

[Debian ISO hybrid CD's](https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/)

## Verify checksum

Verify checksum of the ISO image is the same as the one in checksums file

```bash
sha512sum -c SHA512SUMS --ignore-missing
```

## Verify authenticity of checksums

Verify the authenticity of the checksum files against public key used to sign the checksum

### The list of public keys to download

On the link below are key ID's, ex: `pub rsa4096/988021A964E6EA7D` and `rsa4096/DA87E80D6294BE9B`

[Verifying authenticity of Debian images](https://www.debian.org/CD/verify)

### Download public key(s) used to sign cheksums

Repeat download for each key that might be relevant

```bash
gpg --keyserver keyring.debian.org --recv 988021A964E6EA7D
gpg --keyserver keyring.debian.org --recv DA87E80D6294BE9B
```

### Verify signature of the checksum file

```bash
gpg --verify SHA512SUMS.sign
```

If you get an error such as:
`gpg: BAD signature from "Debian CD signing key <[email protected]>"`</br>
then this means you need to download checksum files not by copy\pasting their values into text
editor but rather download checksum files themself!

## Check the CD-ROM integrity

Once the installation media is booted from, use option which says `Check the CD-ROM integrity`

Here is procedure from my notes:

Markdown (GitHub flavored):
# Verify downloaded debian ISO integrity

Procedure to verify authenticity of downloaded Debian ISO image

## Table of Contents

- [Verify downloaded debian ISO integrity](#verify-downloaded-debian-iso-integrity)
  - [Table of Contents](#table-of-contents)
  - [Download debian and checksums](#download-debian-and-checksums)
  - [Verify checksum](#verify-checksum)
  - [Verify authenticity of checksums](#verify-authenticity-of-checksums)
    - [The list of public keys to download](#the-list-of-public-keys-to-download)
    - [Download public key(s) used to sign cheksums](#download-public-keys-used-to-sign-cheksums)
    - [Verify signature of the checksum file](#verify-signature-of-the-checksum-file)
  - [Check the CD-ROM integrity](#check-the-cd-rom-integrity)
  - [Reference](#reference)

## Download debian and checksums

Download debian ISO including checksums for that ISO:

Netinst ISO:

[Debian ISO CD's](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/)

Live ISO:

[Debian ISO hybrid CD's](https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/)

## Verify checksum

Verify checksum of the ISO image is the same as the one in checksums file

```bash
sha512sum -c SHA512SUMS --ignore-missing
```

## Verify authenticity of checksums

Verify the authenticity of the checksum files against public key used to sign the checksum

### The list of public keys to download

On the link below are key ID's, ex: `pub rsa4096/988021A964E6EA7D` and `rsa4096/DA87E80D6294BE9B`

[Verifying authenticity of Debian images](https://www.debian.org/CD/verify)

### Download public key(s) used to sign cheksums

Repeat download for each key that might be relevant

```bash
gpg --keyserver keyring.debian.org --recv 988021A964E6EA7D
gpg --keyserver keyring.debian.org --recv DA87E80D6294BE9B
```

### Verify signature of the checksum file

```bash
gpg --verify SHA512SUMS.sign
```

If you get an error such as:
`gpg: BAD signature from "Debian CD signing key <[email protected]>"`</br>
then this means you need to download checksum files not by copy\pasting their values into text
editor but rather download checksum files themself!

## Check the CD-ROM integrity

Once the installation media is booted from, use option which says `Check the CD-ROM integrity`

When I click on the files SHA512SUMS.txt and SHA512SUMS.sign, they open as new web pages. Not as text files or the like. How can I use they to validate the downloaded .iso file?
 
When I click on the files SHA512SUMS.txt and SHA512SUMS.sign, they open as new web pages. Not as text files or the like. How can I use they to validate the downloaded .iso file?
if you are downloading from a known good reliable source then don't get hung up in sha or other checks. waste so much time on that in a situation where it is not a factor. Just use it as long as you are sure it is fine from reliable source. No need for a "glass of water" issue
 
if you are downloading from a known good reliable source then don't get hung up in sha or other checks. waste so much time on that in a situation where it is not a factor. Just use it as long as you are sure it is fine from reliable source. No need for a "glass of water" issue

That makes sense. It’s confused me how verifying the .iso file is important but I never hear of anyone in chat doing it. Or how there seems to be such few explicit directions or videos on how to do it. I’m happy to do what is common practice but verifying an .iso doesn’t seem to be so common.
 
sha512sum is an executable file. It does the comparison. The first entry on any terminal line must call an executable file or be a built-in command. You can find instructions for using it by typing 'man sha512sum' in a terminal.
 
sha512sum is an executable file. It does the comparison. The first entry on any terminal line must call an executable file or be a built-in command. You can find instructions for using it by typing 'man sha512sum' in a terminal.
Oh cool. Thanks
 


Follow Linux.org

Members online


Top