Hi everyone,
I'm currently running Linux Mint as my OS and with the release last week of Debian 10, I thought I'd take a serious look at running "Buster" on my main laptop as my only OS. (I've never used Debian prior).
So, I've downloaded the live amd64 standard iso (hoping that is the one that gives me the option of testing the different DEs). I also saved the 256 and 512 SUMS and SUMS sign files to verify and authenticate the download. I clicked the verification guide link, and was redirected to this page . . . https://www.debian.org/CD/verify
And, I'm not sure I understand everything on that page, so I checked this forum to find out how to verify the ISO .
I found this thread, http://forums.debian.net/viewtopic.php?f=17&t=142710, and copied the code for the 512 SUM:
(gpg --verify SHA512SUMS.sign SHA512SUMS)
And, this is the what I get:
gpg: can't open `SHA512SUMS.sign'
gpg: verify signatures failed: file open error
So, can someone please help explain how to verify and authenticate the ISO I downloaded?
Thanks.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
How to verify ISO?
-
- Posts: 154
- Joined: 2019-04-29 01:17
- Been thanked: 2 times
Re: How to verify ISO?
Read this again carefully
Also be sure to make sure the fingerprint matches you can't just go by the sha sums in my opinion.
Then go back to the link and get the keyring.To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. SHA512SUMS.sign). The keys used for these signatures are all in the Debian GPG keyring and the best way to check them is to use that keyring to validate via the web of trust. To make life easier for users, here are the fingerprints for the keys that have been used for releases in recent years:
Also be sure to make sure the fingerprint matches you can't just go by the sha sums in my opinion.
Re: How to verify ISO?
theblueplll wrote:Read this again carefully
Then go back to the link and get the keyring.To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. SHA512SUMS.sign). The keys used for these signatures are all in the Debian GPG keyring and the best way to check them is to use that keyring to validate via the web of trust. To make life easier for users, here are the fingerprints for the keys that have been used for releases in recent years:
Also be sure to make sure the fingerprint matches you can't just go by the sha sums in my opinion.
Thanks.
I'm trying to find out where I get the keyring. When I click the GPG keyring link, https://keyring.debian.org/ there doesn't appear to be keys listed. The closest I can see (remembering I've not used Debian before) is under "Fetch A Key" . . .
So, again, perhaps I'm missing something, but where do I find the key ID?Fetch a key
Once you know the key's ID, just ask the server for it:
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F
-
- Posts: 154
- Joined: 2019-04-29 01:17
- Been thanked: 2 times
Re: How to verify ISO?
I remember trying to figure this out the first time also and it was because I didn't realize the keys where right in front of me LoL.Nic_bne wrote:. . .
So, again, perhaps I'm missing something, but where do I find the key ID?Fetch a key
Once you know the key's ID, just ask the server for it:
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F
Also they don't make it very clear on what to do they just say download the keyring, heres the fingerprints now go verify it.(unless all this time I have been missing something)
Type this into your terminal exactly how it is.
Code: Select all
gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F
The output should say something like this
I imagine it says unchanged for me because I already have it and it hasn't been changed since I got it.pg: key 673A03E4C1DB921F: 378 signatures not checked due to missing keys
gpg: key 673A03E4C1DB921F: "Gunnar Eyal Wolf Iszaevich <gwolf@debian.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
You also could possibly get out put that says the key is good but something like
Which is usually fine it just means fro mmy understanding that your gpg doesn't recognize the key because it hasn't seen it before(something like that I think)no ultimately trusted keys where found
And the rest Ican't seem to find how to do it with GPG which in my opinion would be ther better option.
However if you jsut want to check the SHASUMS
I bet you missed the link on the download page (just like I did the first time)right above the dvd image that says 512 or 256.sign or sums.
That is the file you want to compare against the iso you have.
Is the link you want.
I suggest using the script they are talking about it makes it easy.
Unless someone comes by and corrects me because it is outdated or something idk I use it and it works.
You need to be in the same directory that you downloaded them to.
Code: Select all
./check_debian_iso.sh SHA512SUMS <nameofISO>
Code: Select all
./check_debian_iso.sh SHA512SUMS debian-10.0.0-amd64-DVD-1.iso
This is the output it just gave me(I needed a new iso anyway the one i had is from before the release.
Says that it matches.SHA512SUMS debian-10.0.0-amd64-DVD-1.iso
Piping 1875968 blocks of 'debian-10.0.0-amd64-DVD-1.iso' through 'sha512sum'
to verify checksum list item 'debian-10.0.0-amd64-DVD-1.iso'.
1875968+0 records in
1875968+0 records out
3841982464 bytes (3.8 GB, 3.6 GiB) copied, 69.3563 s, 55.4 MB/s
Ok: 'debian-10.0.0-amd64-DVD-1.iso' matches 'debian-10.0.0-amd64-DVD-1.iso' in 'SHA512SUMS'
Re: How to verify ISO?
Thanks again for your help. I appreciate it!
I did miss the links you mentioned, and I'm happy to report all verified.
Now comes the fun part of seeing if Buster will run on my machine without too many issues.
Thanks again
I did miss the links you mentioned, and I'm happy to report all verified.
Now comes the fun part of seeing if Buster will run on my machine without too many issues.
Thanks again
-
- Posts: 154
- Joined: 2019-04-29 01:17
- Been thanked: 2 times
Re: How to verify ISO?
Not a problem like I said this was something that had me stumped the first time I installed Debian and it wasn't fun to figure out on my own.Nic_bne wrote:Thanks again for your help. I appreciate it!
I did miss the links you mentioned, and I'm happy to report all verified.
Now comes the fun part of seeing if Buster will run on my machine without too many issues.
Thanks again
Besides you weren't just asking for someone to tell you the answer you were at least trying to figure it out.