LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 02-19-2009, 01:54 PM   #1
kushalkoolwal
Senior Member
 
Registered: Feb 2004
Location: Middle of nowhere
Distribution: Debian Squeeze
Posts: 1,249

Rep: Reputation: 48
How to make use of MD5SUMS.sign file on Debian ISO downloads


Hi,

I know how to use the MD5SUMS file to verify the integrity of ISO download. However I am not sure how to use the MD5SUMS.sign files that accompanies the MD5SUMS file.

Here is a good example: http://cdimage.debian.org/debian-cd/5.0.0/i386/iso-cd/
 
Old 02-19-2009, 02:12 PM   #2
armandrix
Member
 
Registered: Nov 2005
Location: Brazil
Distribution: slackware64 -current
Posts: 46

Rep: Reputation: 18
Hi,

Md5sum hash files contains an byte-a-byte generated number, where you can check if at least 1 byte is changed. Useful to detect download errors or any modification on the original file.. if the numbers match file is identical.

md5.sign you are referred, is also a check for the digital sign of the publisher, wich is an file too and is important that it is unchanged.

You can read more about it here http://www.gnupg.org/

cheers
 
Old 02-19-2009, 02:15 PM   #3
kushalkoolwal
Senior Member
 
Registered: Feb 2004
Location: Middle of nowhere
Distribution: Debian Squeeze
Posts: 1,249

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by armandrix View Post
md5.sign you are referred, is also a check for the digital sign of the publisher, wich is an file too and is important that it is unchanged.
Thanks for your time. However my question was how do I use that ".sign" file?
 
Old 02-19-2009, 02:43 PM   #4
armandrix
Member
 
Registered: Nov 2005
Location: Brazil
Distribution: slackware64 -current
Posts: 46

Rep: Reputation: 18
Hi..

You use this when installing stuffs from many package managers, also you can use "gpg --verify", here a little fromman page:
Quote:
--verify
Assume that the first argument is a signed file or a detached signature and verify it without generating any
output. With no arguments, the signature packet is read from stdin. If only a sigfile is given, it may be a
complete signature or a detached signature, in which case the signed stuff is expected in a file without the
".sig" or ".asc" extension. With more than 1 argument, the first should be a detached signature and the
remaining files are the signed stuff. To read the signed stuff from stdin, use '-' as the second filename.
For security reasons a detached signature cannot read the signed material from stdin without denoting it in
the above way.
Hope it helps
 
Old 02-19-2009, 08:34 PM   #5
kushalkoolwal
Senior Member
 
Registered: Feb 2004
Location: Middle of nowhere
Distribution: Debian Squeeze
Posts: 1,249

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by armandrix View Post
Hi..

You use this when installing stuffs from many package managers, also you can use "gpg --verify", here a little fromman page:

Hope it helps
Ok here is what I did:
Code:
debian:/mnt/temp# gpg --verify MD5SUMS.sign 
gpg: Signature made Sat 14 Feb 2009 11:51:23 PM PST using DSA key ID 88C7C1F7
gpg: Can't check signature: public key not found
debian:/mnt/temp#
Not sure what is happening here. I understand that the sign file MD5SUMS.sign file exits so that we can verify that the file MD5SUM was being generated by the person who actually did generate it. Not sure what step am I missing?
 
Old 02-19-2009, 09:05 PM   #6
kushalkoolwal
Senior Member
 
Registered: Feb 2004
Location: Middle of nowhere
Distribution: Debian Squeeze
Posts: 1,249

Original Poster
Rep: Reputation: 48
Ok, I think I got it now!

Thank you.
 
Old 02-20-2009, 05:24 AM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Probably the public key is in the package debian-archive-keyring which looks like installed by default. So it has worked?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Repository Description: The openSUSE 11.1 distribution rpm and iso file downloads ar pankaj_2007 Linux - Newbie 1 02-05-2009 04:35 AM
how to make non bootable iso file and iso via linux command line?? npubudu Linux - Newbie 2 02-01-2009 11:31 PM
How to Generate MD5SUMS.sign files while uploading ISO images kushalkoolwal Linux - Security 2 07-06-2008 11:30 AM
how to make dvd iso file from cd iso files. hocheetiong Linux - General 1 09-29-2007 05:21 AM
Why there isn't any MD5SUMS for Debian Torrents???? doraimom Debian 6 04-05-2007 02:20 AM


All times are GMT -5. The time now is 12:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration