Verifying authenticity of Debian CDs

Published: May 10 2015

Updated: May 10 2015

The official guide for verifying the authenticity of a Debian 🍥 CD image is not so clear if you don't already have an idea about what you are doing. Here is a translation in terms of shell commands.

You need to download:

the image (such as debian-8.0.0-amd64-CD-1.iso);
a corresponding digest file (such as SHA512SUMS) but not the MD5 (MD5SUMS) and probably not the SHA-1 (SHA1SUMS);
the corresponding signature file (SHA512SUMS.sign).

Then you need to:

cat SHA512SUMS | grep debian-8.0.0-amd64-xfce-CD-1.iso | sha512sum -c - # (1)
sudo apt-get install debian-keyring  # (2)
gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg -vv -- \
  SHA512SUMS.sign SHA512SUMS # (3)

and check that it does not spit any error.

Details:

This check that the downloaded file matches the digest as indicated in the SHA512SUM file:

$ cat SHA512SUMS | grep debian-8.0.0-amd64-xfce-CD-1.iso | sha512sum -c -
debian-8.0.0-amd64-xfce-CD-1.iso: OK

We first need to get the GPG public keys of Debian.

Then we need to verify the signature of the SHA512SUMS file:

$ gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg -vv -- \
  SHA512SUMS.sign SHA512SUMS
gpgv: armor: BEGIN PGP SIGNATURE
gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
:signature packet: algo 1, keyid DA87E80D6294BE9B
        version 4, created 1430005434, md5len 0, sigclass 0x00
        digest algo 8, begin of digest 87 47
        hashed subpkt 2 len 4 (sig created 2015-04-25)
        subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
        data: [4095 bits]
gpgv: Signature made Sun Apr 26 01:43:54 2015 CEST using RSA key ID 6294BE9B
gpgv: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpgv: binary signature, digest algorithm SHA256

You might want to check that the digest algorithm is not a broken hash function (not MD5, not SHA-1) but something such as SHA-256 or SHA-512. You might want to check the identity of the signed (Debian CD signing key <debian-cd@lists.debian.org>) as well.

Warning

Both steps (verifying the digest, verifying the signature of the digest file) are necessary in order to ensure that the file is an authentic Debian CD image.

Checking the SHA8445SUM (first step) is not enough to conclude that the CD image is the correct one because an attacker could have uploaded a malicious CD image and a corresponding digest file: we need to check that the SHA512SUMS has not been tampered with.

Warning

You should not use the MD5SUMS because MD5 is broken and avoid SHA1SUMS as well.

In Fedora, the Debian keyring is shipped in the debian-keyring package.