There are two steps to verify an authenticity of downloaded Debian ISO images from Debian mirrors:
- Firstly, we need to verify check-sum of the CD image content against its relevant checksums files whether it would be
MD5SUMS
orSHA512SUMS
- Secondly, we need to verify the actual checksums files for a correct signature using accompanied signatures such as
MD5SUMS.sign
orSHA512SUMS.sign
To get started, first download all relevant files including desired ISO images within a single directory. In this case we will validate the authenticity of debian net install CD image:
$ ls MD5SUMS MD5SUMS.sign SHA512SUMS SHA512SUMS.sign debian-8.0.0-arm64-netinst.iso
The task at hand is to verify the authenticity of the included net install CD image debian-8.0.0-arm64-netinst.iso
Verify CD image content
To verify the CD image content against any tampering we generate checksum locally and match against checksum provided by MD5SUMS
and SHA512SUMS
downloaded from the debian mirror. Note, just for the completeness we do both methods MD5SUMS
and SHA512SUMS
.
MD5SUM $ md5sum -c MD5SUMS 2> /dev/null | grep netinst debian-8.0.0-arm64-netinst.iso: OK SHA512SUMS $ sha512sum -c SHA512SUMS 2> /dev/null | grep netinst debian-8.0.0-arm64-netinst.iso: OK
Check for a correct signature
So far all looks great. Next, we need to verify the authenticity of the actual MD5SUMS
and SHA512SUMS
checksum files which we have used to verify the content of our Debian ISO image. For this we will use gpg
( GNU Privacy Guard ) command. First, we need to get the public key of the person who signed our checksum files:
$ gpg --verify MD5SUMS.sign gpg: assuming signed data in `MD5SUMS' gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Can't check signature: public key not found $ gpg --verify SHA512SUMS.sign gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Can't check signature: public key not found
The public key with ID6294BE9B
is currently not available on our system so we need to download it first directly from the debian keyring server:
$ gpg --keyserver keyring.debian.org --recv 6294BE9B gpg: keyring `/root/.gnupg/secring.gpg' created gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 6294BE9B: public key "Debian CD signing key" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
At this point we are in the position to verify a signature for both checksum files:
$ gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B $ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
The message gpg: Good signature from "Debian CD signing key
confirms that the Debian CD image belongs to whom it claims to belong to. As for an conclusion let’s try a simple tampering test with MD5SUMS
file and change a single character within this file using vim
editor:
$ vi MD5SUMS $ gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Sat Apr 25 23:44:18 2015 UTC using RSA key ID 6294BE9B gpg: BAD signature from "Debian CD signing key"