Missing signature for cloud image checksum file

[Cam Eliot]

I am trying the verify the authenticity of the cloud image checksum files, but there seems to be no SHA512SUMS.sign file:

https://cloud.debian.org/images/cloud/bookworm/latest/

The conventional CD image directory seems to have one though:

https://cdimage.debian.org/debian-cd/cu ... 64/iso-cd/

Should there be a signature file for SHA512SUMS in the first directory? Or is there another way to verify its authenticity?

[fabien]

https://cloud.debian.org/images/cloud/ says:

How can I verify my download is correct and exactly what has been created by Debian?

For the current official images (in the per-distribution directories), the safest method is to download the image and checksum files over TLS from cloud.debian.org or cdimage.debian.org. These names support DNSSEC, so a validating resolver can ensure that a client is connected to a Debian host. And TLS ensures that the data is not manipulated in flight.

The legacy OpenStack images (in the OpenStack/ directory) provide checksums and signatures. See SHA512SUMS.sign, etc. For more information about the verification steps, read the verification guide

If you're interested in contributing checksum signatures for the current images, please reach us on the list: debian-cloud at lists.debian.org.

[Cam Eliot]

I had assumed that checksum file signatures were an important piece of the verification process but it would appear the cloud images do not have them at the moment. Thank you for pointing me towards the right info.