msnodderly · August 1, 2012 21:30
diff --git a/gpg-verify-iso.txt b/gpg-verify-iso.txt
 HOWTO: Verify Debian ISO Downloads (from OS X)


 - Download the required ISO from http://www.debian.org/CD/. Also download the SHA512SUMS and SHA512SUMS.sign files. (of course MD5SUM etc. work fine, but as long as we're being paranoid, we might as well go all the way)

 - Install GPGTools if needed https://www.gpgtools.org/


 - Verify the signature on SHA512SUMS

 You should see something like this the first time you run gpg --verify: 

  $ gpg --verify SHA512SUMS.sign 
  gpg: Signature made Sun May 13 05:01:57 2012 PDT using RSA key ID 6294BE9B
  gpg: requesting key 6294BE9B from hkp server keys.gnupg.net
  gpg: key 6294BE9B: public key "Debian CD signing key <[email protected]>" imported
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
  gpg: next trustdb check due at 2015-08-18
  gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)
  gpg: Good signature from "Debian CD signing key <[email protected]>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

 Subsequent runs will look something like this:

  $ gpg --verify SHA512SUMS.sign 
  gpg: Signature made Sun May 13 05:01:57 2012 PDT using RSA key ID 6294BE9B 
  gpg: Good signature from "Debian CD signing key <[email protected]>"  
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B    


 To be extra safe, verify that the primary key fingerprint exists on this page: http://www.debian.org/CD/verify

 - Find the SHA512SUM of the ISO(s)

  $ openssl dgst -sha512  ~/Downloads/debian-6.0.5-i386-netinst.iso
  SHA512(/Users/mds/Downloads/debian-6.0.5-i386-netinst.iso)= 536ce3de14ba537590e9794a8a053fcbf81f8063aaf690d766e1ef784c2609932f481a2079cf3982f87ef64354398eb36ec2d8d1c8d207c5723c1c66ffa3495b

 Verify that the calculated hash is the same as the one in SHA512SUMS:

  $ grep $(openssl dgst -sha512  ~/Downloads/debian-6.0.5-i386-netinst.iso | cut -f 2 -d" ") SHA512SUMS  && echo OK ||   echo FAILED
  536ce3de14ba537590e9794a8a053fcbf81f8063aaf690d766e1ef784c2609932f481a2079cf3982f87ef64354398eb36ec2d8d1c8d207c5723c1c66ffa3495b  debian-6.0.5-i386-netinst.iso
  OK




 See also:
 http://www.debian.org/CD/verify, http://keyring.debian.org
	HOWTO: Verify Debian ISO Downloads (from OS X)


	- Download the required ISO from http://www.debian.org/CD/. Also download the SHA512SUMS and SHA512SUMS.sign files. (of course MD5SUM etc. work fine, but as long as we're being paranoid, we might as well go all the way)

	- Install GPGTools if needed https://www.gpgtools.org/


	- Verify the signature on SHA512SUMS

	You should see something like this the first time you run gpg --verify:

	$ gpg --verify SHA512SUMS.sign
	gpg: Signature made Sun May 13 05:01:57 2012 PDT using RSA key ID 6294BE9B
	gpg: requesting key 6294BE9B from hkp server keys.gnupg.net
	gpg: key 6294BE9B: public key "Debian CD signing key <[email protected]>" imported
	gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
	gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
	gpg: next trustdb check due at 2015-08-18
	gpg: Total number processed: 1
	gpg: imported: 1 (RSA: 1)
	gpg: Good signature from "Debian CD signing key <[email protected]>"
	gpg: WARNING: This key is not certified with a trusted signature!
	gpg: There is no indication that the signature belongs to the owner.
	Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

	Subsequent runs will look something like this:

	$ gpg --verify SHA512SUMS.sign
	gpg: Signature made Sun May 13 05:01:57 2012 PDT using RSA key ID 6294BE9B
	gpg: Good signature from "Debian CD signing key <[email protected]>"
	gpg: WARNING: This key is not certified with a trusted signature!
	gpg: There is no indication that the signature belongs to the owner.
	Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B


	To be extra safe, verify that the primary key fingerprint exists on this page: http://www.debian.org/CD/verify

	- Find the SHA512SUM of the ISO(s)

	$ openssl dgst -sha512 ~/Downloads/debian-6.0.5-i386-netinst.iso
	SHA512(/Users/mds/Downloads/debian-6.0.5-i386-netinst.iso)= 536ce3de14ba537590e9794a8a053fcbf81f8063aaf690d766e1ef784c2609932f481a2079cf3982f87ef64354398eb36ec2d8d1c8d207c5723c1c66ffa3495b

	Verify that the calculated hash is the same as the one in SHA512SUMS:

	$ grep $(openssl dgst -sha512 ~/Downloads/debian-6.0.5-i386-netinst.iso \| cut -f 2 -d" ") SHA512SUMS && echo OK \|\| echo FAILED
	536ce3de14ba537590e9794a8a053fcbf81f8063aaf690d766e1ef784c2609932f481a2079cf3982f87ef64354398eb36ec2d8d1c8d207c5723c1c66ffa3495b debian-6.0.5-i386-netinst.iso
	OK




	See also:
	http://www.debian.org/CD/verify, http://keyring.debian.org