How to verify an authenticity of downloaded Debian ISO images

There are two steps to verify an authenticity of downloaded Debian ISO images from Debian mirrors:

  1. Firstly, we need to verify check-sum of the CD image content against its relevant checksums files whether it would be MD5SUMS or SHA512SUMS
  2. Secondly, we need to verify the actual checksums files for a correct signature using accompanied signatures such as MD5SUMS.sign or SHA512SUMS.sign

To get started, first download all relevant files including desired ISO images within a single directory. In this case we will validate the authenticity of debian net install CD image:

$ ls
MD5SUMS  MD5SUMS.sign  SHA512SUMS  SHA512SUMS.sign  debian-8.0.0-arm64-netinst.iso

The task at hand is to verify the authenticity of the included net install CD image debian-8.0.0-arm64-netinst.iso

Verify CD image content

To verify the CD image content against any tampering we generate checksum locally and match against checksum provided by MD5SUMS and SHA512SUMS downloaded from the debian mirror. Note, just for the completeness we do both methods MD5SUMS and SHA512SUMS.

MD5SUM
$ md5sum -c MD5SUMS 2> /dev/null | grep netinst
debian-8.0.0-arm64-netinst.iso: OK
SHA512SUMS
$ sha512sum -c SHA512SUMS 2> /dev/null | grep netinst
debian-8.0.0-arm64-netinst.iso: OK

Check for a correct signature

So far all looks great. Next, we need to verify the authenticity of the actual MD5SUMS and SHA512SUMS checksum files which we have used to verify the content of our Debian ISO image. For this we will use gpg ( GNU Privacy Guard ) command. First, we need to get the public key of the person who signed our checksum files:

$ gpg --verify MD5SUMS.sign
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
$ gpg --verify SHA512SUMS.sign 
gpg: assuming signed data in `SHA512SUMS'
gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found

The public key with ID6294BE9B is currently not available on our system so we need to download it first directly from the debian keyring server:

$ gpg --keyserver keyring.debian.org --recv 6294BE9B
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6294BE9B: public key "Debian CD signing key " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

At this point we are in the position to verify a signature for both checksum files:

$ gpg --verify MD5SUMS.sign MD5SUMS
gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

The message gpg: Good signature from "Debian CD signing key " confirms that the Debian CD image belongs to whom it claims to belong to. As for an conclusion let’s try a simple tampering test with MD5SUMS file and change a single character within this file using vim editor:

$ vi MD5SUMS
$ gpg --verify MD5SUMS.sign MD5SUMS
gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B
gpg: BAD signature from "Debian CD signing key "