LinuxQuestions.org - [SOLVED] Can't find all necessary offical debian websites to verify iso

Can't Complete *.iso verification

I am trying to verify a debian iso. I would like to have an official hkp address so that I can verify debian 8..5 lxde amdx64 file authenticity and integrity. I have succeeded with the address eu.pool.sks-keyservers.net, but this is not an official debian url. Specifically I am executing the following commands from terminal:

Code:

  gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B

  gpg: requesting key 6294BE9B from hkp server eu.pool.sks-keyservers.net

  gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported

  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

  gpg: depth: 0  valid:  1  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 1u

  gpg: Total number processed: 1

  gpg:              imported: 1  (RSA: 1)

Notice how this fails with 1) https://keyring.debian.org and 2) debian-cd@lists.debian.org :
Fail msg 1)

Code:

$  gpg --keyserver https://keyring.debian.org --recv-keys 0x6294BE9B

  gpg: requesting key 6294BE9B from https server keyring.debian.org

  gpgkeys: protocol 'https' not supported

  gpg: no handler for keyserver scheme 'https'

  gpg: keyserver receive failed: keyserver error

Fail msg 2)

Code:

$ gpg --keyserver debian-cd@lists.debian.org --recv-keys 0x6294BE9Bgpg: requesting key 6294BE9B from hkp server lists.debian.org?: lists.debian.org: Network is unreachablegpgkeys: HTTP fetch error 7: could not connect: Network is unreachable

gpg: no valid OpenPGP data found.gpg: Total number processed: 0

I am implementing the Verify ISO tutorial procedure found https://help.ubuntu.com/community/VerifyIsoHowto.

Procedure outline:
A) Download SHA256SUMS and SHA256SUMS.gpg from http://cdimage.debian.org/debian-cd/...64/iso-hybrid/

B) Get the key
. 1) Display what key was used to issue the signature

Code:

$ gpg --verify SHA256SUMS.sign SHA256SUMS

. 2) Obtain the public key from the Ubuntu key server
To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:

Code:

$ gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B

. 3) Verify the key fingerprints:

Code:

$ gpg --list-keys --with-fingerprint 0x6294BE9B

C) Verify the signature

Code:

$ gpg --verify SHA256SUMS.sign SHA256SUMS

D) Check the ISO

Code:

$ sha256sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA256SUMS)

. This step really seems pointless. I have already checked the man pages for sha256sum and even commonly use the grep command, but I still am not clear what the hell this command is doing! More specifically, it can only be logical to have a command "cmd1" that checks two things against each other, thus commands should look like

Code:

cmd1 -option original new

or like the above two gpg commands

Code:

        $  gpg --list-keys --with-fingerprint 0x6294BE9B

        $  gpg --verify SHA256SUMS.sign SHA256SUMS

        <  gpg  (option) file1 file2  >

But the above "sha256sum -c <(grep..." line makes no sense since it is never specified what file it is checking the first checksum (debian-live-8.5.0-amd64-lxde-desktop.iso) against. It is just like an incomplete sentence. I really need help understanding sha256sum syntax and just what processes sha256sum is actually doing.

E) Burn iso to media
F) Check media drive still has same (https://help.ubuntu.com/community/HowToSHA256SUM)

Code:

        $  sudo fdisk -l                    (lookup location of burnt iso media)

        $  sudo sha256sum /dev/sdc1

Does Debian even have its own hkp website? Does anyone have a better way of verifying *.iso files?