confused about gpg checksum verification procedure for debian iso

JacekZ · 02-08-2014, 10:59 AM

I download three files (an iso, a checkusm and signature file) from
http://cdimage.debian.org/debian-cd/...64/iso-hybrid/
This location is not a https type so not as secure as I might wish.

I checksum the iso and it matches the downloaded entries but that does not prove the source.
I verify the iso with the signature:

Code:

gpg --verify SHA512SUMS.sign debian-live-7.2-amd64-xfce-desktop.iso

but that does not prove the source either.

I match the output

Code:

gpg: Signature made Mon 14 Oct 2013 05:05:31 BST using RSA key ID AD11CF6A

against https://www.debian.org/CD/verify
but that just verifies the end of the fingerprint, not the whole fingerprint.

So what more can I do to check things properly?

All my attempts to do more fail, like:

Code:

gpg --keyserver keyring.debian.org --recv-keys 0xAD11CF6A
gpg: requesting key AD11CF6A from hkp server keyring.debian.org
gpgkeys: key AD11CF6A not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Thanks
Jacek

unSpawn · 02-08-2014, 11:57 AM

See http://pgp.mit.edu/pks/lookup?search...1CF6A&op=index which leads to http://pgp.mit.edu/pks/lookup?op=vin...0AD6B9AD11CF6A ?

JacekZ · 02-09-2014, 07:32 AM

Thanks unSpawn

Quote:

Originally Posted by unSpawn

See http://pgp.mit.edu/pks/lookup?search...1CF6A&op=index which leads to http://pgp.mit.edu/pks/lookup?op=vin...0AD6B9AD11CF6A ?

sorry if this is a bit basic but I don't quite follow. The links show that the ID AD11CF6A appears to belong to someone with an account at an American university?
Jacek

JacekZ · 02-09-2014, 09:11 AM

I've figured it out now (up to a point) so if anyone follows in my footsteps..
the error occurred because I was running the "--recv-keys" command from a terminal open on a subfolder where the downloaded files to be verified reside. It appears the command has to be run from your home directory.

So the procedure to check (verify) the downloads seems to be this:

Code:

cd '/download location'
gpg --verify-files SHA512SUMS.sign

(should give abbreviated ID to lookup on https://www.debian.org/CD/verify)
(add 0x to abbreviated ID)

Code:

cd ~
gpg --recv-keys 0xAD11CF6A
cd '/download location'
gpg --verify SHA512SUMS.sign SHA512SUMS
sha512sum debian-live-7.2-amd64-xfce-desktop.iso

(compare output to content of SHA512SUMS)

unSpawn · 02-11-2014, 01:13 AM

Quote:

Originally Posted by JacekZ

sorry if this is a bit basic but I don't quite follow. The links show that the ID AD11CF6A appears to belong to someone with an account at an American university?

The only thing I was pointing at was a way to find the key, not determine the state of it or its owner.