Debian User Forums

[Nic_bne]

Hi everyone,

I'm currently running Linux Mint as my OS and with the release last week of Debian 10, I thought I'd take a serious look at running "Buster" on my main laptop as my only OS. (I've never used Debian prior).

So, I've downloaded the live amd64 standard iso (hoping that is the one that gives me the option of testing the different DEs). I also saved the 256 and 512 SUMS and SUMS sign files to verify and authenticate the download. I clicked the verification guide link, and was redirected to this page . . . https://www.debian.org/CD/verify

And, I'm not sure I understand everything on that page, so I checked this forum to find out how to verify the ISO .

I found this thread, viewtopic.php?f=17&t=142710, and copied the code for the 512 SUM:

(gpg --verify SHA512SUMS.sign SHA512SUMS)

And, this is the what I get:

gpg: can't open `SHA512SUMS.sign'
gpg: verify signatures failed: file open error

So, can someone please help explain how to verify and authenticate the ISO I downloaded?

Thanks.

[theblueplll]

Read this again carefully

To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. SHA512SUMS.sign). The keys used for these signatures are all in the Debian GPG keyring and the best way to check them is to use that keyring to validate via the web of trust. To make life easier for users, here are the fingerprints for the keys that have been used for releases in recent years:

Then go back to the link and get the keyring.
Also be sure to make sure the fingerprint matches you can't just go by the sha sums in my opinion.

[Nic_bne]

Read this again carefully

To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files (e.g. SHA512SUMS.sign). The keys used for these signatures are all in the Debian GPG keyring and the best way to check them is to use that keyring to validate via the web of trust. To make life easier for users, here are the fingerprints for the keys that have been used for releases in recent years:

Then go back to the link and get the keyring.
Also be sure to make sure the fingerprint matches you can't just go by the sha sums in my opinion.

Thanks.

I'm trying to find out where I get the keyring. When I click the GPG keyring link, https://keyring.debian.org/ there doesn't appear to be keys listed. The closest I can see (remembering I've not used Debian before) is under "Fetch A Key" . . .

Fetch a key
Once you know the key's ID, just ask the server for it:
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F

So, again, perhaps I'm missing something, but where do I find the key ID?

[theblueplll]

. . .

Fetch a key
Once you know the key's ID, just ask the server for it:
$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F

So, again, perhaps I'm missing something, but where do I find the key ID?

I remember trying to figure this out the first time also and it was because I didn't realize the keys where right in front of me LoL.
Also they don't make it very clear on what to do they just say download the keyring, heres the fingerprints now go verify it.(unless all this time I have been missing something)

Type this into your terminal exactly how it is.

Code: Select all

gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F

The output should say something like this

pg: key 673A03E4C1DB921F: 378 signatures not checked due to missing keys
gpg: key 673A03E4C1DB921F: "Gunnar Eyal Wolf Iszaevich <gwolf@debian.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

I imagine it says unchanged for me because I already have it and it hasn't been changed since I got it.
You also could possibly get out put that says the key is good but something like

no ultimately trusted keys where found

Which is usually fine it just means fro mmy understanding that your gpg doesn't recognize the key because it hasn't seen it before(something like that I think)

And the rest Ican't seem to find how to do it with GPG which in my opinion would be ther better option.

However if you jsut want to check the SHASUMS

I bet you missed the link on the download page (just like I did the first time)right above the dvd image that says 512 or 256.sign or sums.
That is the file you want to compare against the iso you have.

https://www.debian.org/CD/faq/#verify

Is the link you want.

I suggest using the script they are talking about it makes it easy.
Unless someone comes by and corrects me because it is outdated or something idk I use it and it works.

You need to be in the same directory that you downloaded them to.

Code: Select all

./check_debian_iso.sh SHA512SUMS <nameofISO>

So mine was

Code: Select all

./check_debian_iso.sh SHA512SUMS debian-10.0.0-amd64-DVD-1.iso

This is the output it just gave me(I needed a new iso anyway the one i had is from before the release.

SHA512SUMS debian-10.0.0-amd64-DVD-1.iso
Piping 1875968 blocks of 'debian-10.0.0-amd64-DVD-1.iso' through 'sha512sum'
to verify checksum list item 'debian-10.0.0-amd64-DVD-1.iso'.
1875968+0 records in
1875968+0 records out
3841982464 bytes (3.8 GB, 3.6 GiB) copied, 69.3563 s, 55.4 MB/s
Ok: 'debian-10.0.0-amd64-DVD-1.iso' matches 'debian-10.0.0-amd64-DVD-1.iso' in 'SHA512SUMS'

Says that it matches.

[Nic_bne]

Thanks again for your help. I appreciate it!

I did miss the links you mentioned, and I'm happy to report all verified.

Now comes the fun part of seeing if Buster will run on my machine without too many issues.

Thanks again

[theblueplll]

Thanks again for your help. I appreciate it!

I did miss the links you mentioned, and I'm happy to report all verified.

Now comes the fun part of seeing if Buster will run on my machine without too many issues.

Thanks again

Not a problem like I said this was something that had me stumped the first time I installed Debian and it wasn't fun to figure out on my own.

Besides you weren't just asking for someone to tell you the answer you were at least trying to figure it out.