Verifying authenticity of Debian CDs

The official guide for verifying the authenticity of a Debian πŸ₯ CD image is not so clear if you don't already have an idea about what you are doing. Here is a translation in terms of shell commands.

You need to download:

  • the image (such as debian-8.0.0-amd64-CD-1.iso);

  • a corresponding digest file (such as SHA512SUMS) but not the MD5 (MD5SUMS) and probably not the SHA-1 (SHA1SUMS);

  • the corresponding signature file (SHA512SUMS.sign).

Then you need to:

cat SHA512SUMS | grep debian-8.0.0-amd64-xfce-CD-1.iso | sha512sum -c - # (1)
sudo apt-get install debian-keyring  # (2)
gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg -vv -- \
  SHA512SUMS.sign SHA512SUMS # (3)

and check that it does not spit any error.

Details:

  1. This check that the downloaded file matches the digest as indicated in the SHA12SUM file:

    $ cat SHA512SUMS | grep debian-8.0.0-amd64-xfce-CD-1.iso | sha512sum -c -
    debian-8.0.0-amd64-xfce-CD-1.iso: OK
    
  2. We first need to get the GPG public keys of Debian.

  3. Then we need to verify the signature of the SHA512SUMS file:

    
    $ gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg -vv -- \
      SHA512SUMS.sign SHA512SUMS
    gpgv: armor: BEGIN PGP SIGNATURE
    gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
    :signature packet: algo 1, keyid DA87E80D6294BE9B
            version 4, created 1430005434, md5len 0, sigclass 0x00
            digest algo 8, begin of digest 87 47
            hashed subpkt 2 len 4 (sig created 2015-04-25)
            subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
            data: [4095 bits]
    gpgv: Signature made Sun Apr 26 01:43:54 2015 CEST using RSA key ID 6294BE9B
    gpgv: Good signature from "Debian CD signing key debian-cd@lists.debian.org"
    gpgv: binary signature, digest algorithm SHA256
    

    You might want to check that the digest algorithm is not a broken hash function (not MD5, not SHA-1) but something such as SHA-256 or SHA-512. You might want to check the identity of the signed (Debian CD signing key <debian-cd@lists.debian.org>) as well.

Warning

Both steps (verifying the digest, verifying the signature of the digest file) are necessary in order to ensure that the file is an authentic Debian CD image.

Checking the SHA8445SUM (first step) is not enough to conclude that the CD image is the correct one because an attacker could have uploaded a malicious CD image and a corresponding digest file: we need to check that the SHA512SUMS has not been tampered with.

Warning

You should not use the MD5SUMS because MD5 is broken and avoid SHA1SUMS as well.

In Fedora, the Debian keyring is shipped in the debian-keyring package.