I am an individual user and would like to verify a debian iso. I would like to have an official hkp address so that I can verify debian 8..5 lxde amdx64 file authenticity and integrity. I have succeeded with the address eu.pool.sks-keyservers.net, but this is not an official debian url. Specifically I am executing the following commands from terminal:
Code:
gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B
gpg: requesting key 6294BE9B from hkp server eu.pool.sks-keyservers.net
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Notice how this fails with 1)
https://keyring.debian.org and 2)
debian-cd@lists.debian.org :
Fail msg 1)
Code:
$ gpg --keyserver https://keyring.debian.org --recv-keys 0x6294BE9B
gpg: requesting key 6294BE9B from https server keyring.debian.org
gpgkeys: protocol 'https' not supported
gpg: no handler for keyserver scheme 'https'
gpg: keyserver receive failed: keyserver error
Fail msg 2)
Code:
#$ gpg --keyserver debian-cd@lists.debian.org --recv-keys 0x6294BE9Bgpg: requesting key 6294BE9B from hkp server lists.debian.org?: lists.debian.org: Network is unreachablegpgkeys: HTTP fetch error 7: couldn't connect: Network is unreachablegpg: no valid OpenPGP data found.gpg: Total number processed: 0
I am implementing the Verify ISO tutorial procedure found
https://help.ubuntu.com/community/VerifyIsoHowto.
Procedure outline:
A) Download SHA256SUMS and SHA256SUMS.gpg from
http://cdimage.debian.org/debian-cd/...64/iso-hybrid/
B) Get the key
1) Display what key was used to issue the signature
Code:
$ gpg --verify SHA256SUMS.sign SHA256SUMS
2) Obtain the public key from the Ubuntu key server
To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:
Code:
$ gpg --keyserver gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B
3) Verify the key fingerprints:
Code:
$ gpg --list-keys --with-fingerprint 0x6294BE9B
C) Verify the signature
Code:
$ gpg --verify SHA256SUMS.sign SHA256SUMS
D) Check the ISO
Code:
$ sha256sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA256SUMS)
E) Burn iso to media
F) Check media drive still has same (
https://help.ubuntu.com/community/HowToSHA256SUM)
Code:
$ sudo fdisk -l (lookup location of burnt iso media)
$ sudo sha256sum /dev/sdc1
#Does Debian even have its own hkp website? Does anyone have a better way of verifying *.iso files?
