There are two steps to verify an authenticity of downloaded debian iso images from Debian mirrors:
- Firstly, we need to verify check-sum of the CD image content against its relevant checksums files whether it would be
MD5SUMSorSHA512SUMS - Secondly, we need to verify the actual checksums files for a correct signature using accompanied signatures such as
MD5SUMS.signorSHA512SUMS.sign
To get started, first download all relevant files including desired ISO images within a single directory from your preferred debian mirror. In this case we will validate the authenticity of debian net install CD image:
$ ls MD5SUMS MD5SUMS.sign SHA512SUMS SHA512SUMS.sign debian-8.0.0-arm64-netinst.iso
The task at hand is to verify the authenticity of the included net install CD image debian-8.0.0-arm64-netinst.iso
Verify CD image content
To verify the CD image content against any tampering we generate checksum locally and match against checksum provided by MD5SUMS and SHA512SUMS downloaded from the debian mirror. Note, just for the completeness we do both methods MD5SUMS and SHA512SUMS.
MD5SUM $ md5sum -c MD5SUMS 2> /dev/null | grep netinst debian-8.0.0-arm64-netinst.iso: OK SHA512SUMS $ sha512sum -c SHA512SUMS 2> /dev/null | grep netinst debian-8.0.0-arm64-netinst.iso: OK
Check for a correct signature
So far all looks great. Next, we need to verify the authenticity of the actual MD5SUMS and SHA512SUMS checksum files which we have used to verify the content of our Debian ISO image. For this we will use gpg ( GNU Privacy Guard ) command. First, we need to get the public key of the person who signed our checksum files:
$ gpg --verify MD5SUMS.sign gpg: assuming signed data in `MD5SUMS' gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Can't check signature: public key not found $ gpg --verify SHA512SUMS.sign gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Can't check signature: public key not found
The public key with ID6294BE9B is currently not available on our system so we need to download it first directly from the debian keyring server:
$ gpg --keyserver keyring.debian.org --recv 6294BE9B gpg: keyring `/root/.gnupg/secring.gpg' created gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 6294BE9B: public key "Debian CD signing key
At this point we are in the position to verify a signature for both checksum files:
$ gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key
The message gpg: Good signature from "Debian CD signing key confirms that the Debian CD image belongs to whom it claims to belong to. As for an conclusion let’s try a simple tampering test with MD5SUMS file and change a single character within this file using vim editor:
$ vi MD5SUMS $ gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: BAD signature from "Debian CD signing key