Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-07-2016, 08:21 AM   #1
Registered: Dec 2012
Distribution: Trisquel-Mini 7.0, Lubuntu 14.04, Debian lxde 8.0
Posts: 308
Blog Entries: 2

Rep: Reputation: 16
Red face Can't find all necessary offical debian websites to verify iso

Can't Complete *.iso verification

I am trying to verify a debian iso. I would like to have an official hkp address so that I can verify debian 8..5 lxde amdx64 file authenticity and integrity. I have succeeded with the address, but this is not an official debian url. Specifically I am executing the following commands from terminal:
   gpg --keyserver --recv-keys 0x6294BE9B
   gpg: requesting key 6294BE9B from hkp server
   gpg: key 6294BE9B: public key "Debian CD signing key <>" imported
   gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
   gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)
Notice how this fails with 1) and 2) :
Fail msg 1)
$  gpg --keyserver --recv-keys 0x6294BE9B
   gpg: requesting key 6294BE9B from https server
   gpgkeys: protocol 'https' not supported
   gpg: no handler for keyserver scheme 'https'
   gpg: keyserver receive failed: keyserver error
Fail msg 2)
$ gpg --keyserver --recv-keys 0x6294BE9Bgpg: requesting key 6294BE9B from hkp server Network is unreachablegpgkeys: HTTP fetch error 7: could not connect: Network is unreachable
gpg: no valid OpenPGP data found.gpg: Total number processed: 0
I am implementing the Verify ISO tutorial procedure found

Procedure outline:
A) Download SHA256SUMS and SHA256SUMS.gpg from

B) Get the key
. 1) Display what key was used to issue the signature
$  gpg --verify SHA256SUMS.sign SHA256SUMS
. 2) Obtain the public key from the Ubuntu key server
To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:
	$  gpg --keyserver --recv-keys 0x6294BE9B
. 3) Verify the key fingerprints:
	$  gpg --list-keys --with-fingerprint 0x6294BE9B
C) Verify the signature
	$  gpg --verify SHA256SUMS.sign SHA256SUMS
D) Check the ISO
	$  sha256sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA256SUMS)
. This step really seems pointless. I have already checked the man pages for sha256sum and even commonly use the grep command, but I still am not clear what the hell this command is doing! More specifically, it can only be logical to have a command "cmd1" that checks two things against each other, thus commands should look like
cmd1 -option original new
or like the above two gpg commands
	$  gpg --list-keys --with-fingerprint 0x6294BE9B
	$  gpg --verify SHA256SUMS.sign SHA256SUMS
	<  gpg   (option) file1 file2  >
But the above "sha256sum -c <(grep..." line makes no sense since it is never specified what file it is checking the first checksum (debian-live-8.5.0-amd64-lxde-desktop.iso) against. It is just like an incomplete sentence. I really need help understanding sha256sum syntax and just what processes sha256sum is actually doing.

E) Burn iso to media
F) Check media drive still has same (
	$  sudo fdisk -l                    (lookup location of burnt iso media)
	$  sudo sha256sum /dev/sdc1
Does Debian even have its own hkp website? Does anyone have a better way of verifying *.iso files?

Last edited by andrew.comly; 08-07-2016 at 06:47 PM. Reason: clarity
Old 08-07-2016, 01:38 PM   #2
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I found
and it shows:
$ gpg --keyserver --recv 6294BE9B
Edit: Mon Aug 08, 2016 - 12:52:45 PM EDT
Today I got from that url below:
gpg --keyserver hkp:// --recv 6294BE9B
and this too worked.

So, the URI is hkp://resource.server.tld

See if that helps.

Is this "you"?

Last edited by Habitual; 08-08-2016 at 11:53 AM.
1 members found this post helpful.


checksum, gpg, iso, key, verify

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't find all necessary offical debian websites to verify iso andrew.comly Linux - Security 2 08-07-2016 05:04 PM
[SOLVED] Where To Find a Debian Install (CDROM Iso-Hybrid Debian-Install) with EFI partition ? Xeratul Debian 14 08-09-2015 07:28 AM
[SOLVED] can't find debian iso image when trying to install from hard disk slackingclement Linux - Software 6 07-20-2011 09:16 PM
How do I verify the iso images Virtual Circuit Slackware - Installation 6 02-18-2008 10:17 AM
How to verify downloaded iso's ashwin_cse Fedora 1 06-27-2005 09:23 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:05 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration