Verifying digital signatures: Debian Linux

1 minute read

The downloaded copy of the operating system must also have its digital signature verified before installation on a new host or virtual machine. This article will show how to verify a Debian Linux image before installation. To learn more read Verifying digital signatures.

Learn more about Debian Verifier, a shell script also ported to Python that automates the digital signature verification process.

To download and verify the digital signature and hashes of the most recent version of Debian Linux:

a) Go to https://cdimage.debian.org/debian-cd/current/$ARCH/iso-dvd/. If you’d rather download a smaller image, containing only the Debian core packages, go to https://cdimage.debian.org/cdimage/release/current/multi-arch/iso-cd/. The packages not included in ‘netinst’ image but selected during the installation will be downloaded from the Internet.

$ARCH may be, among other options, ‘amd64’ or ‘i386’.

b) Download to the same directory the files debian-$VERSION-$ARCH-DVD-1.iso (the first DVD image is enough for the usual installation), SHA256SUMS and SHA256SUMS.sign. If you’d rather download the smaller image, named ‘netinst’, look for the file named debian-$VERSION-amd64-i386-netinst.iso and also download files SHA256SUMS and SHA256SUMS.sign from the same folder.

c) Verify the digital signature:

$ gpg --verify SHA256SUMS.sign

GPG output shows that the developer’s public key was automatically imported:

gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported

If the key wasn’t automatically imported, it will be necessary to manually import the keys shown at web page https://www.debian.org/CD/verify and issue the same command after that.

$ gpg --keyserver keyring.debian.org --recv-keys 0x64E6EA7D 0x6294BE9B 0x09EA8AC3

d) Look in the gpg output for:

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>

e) To generate the hash and compare it with the hashes inside the manifest SHA256SUMS:

On Linux:

$ grep `sha256sum debian-$VERSION-$ARCH-DVD-1.iso` SHA256SUMS
or
$ grep `sha256sum debian-$VERSION-amd64-i386-netinst.iso` SHA256SUMS

On Mac:

$ grep `shasum -a 256 debian-$VERSION-$ARCH-DVD-1.iso` SHA256SUMS
or
$ grep `shasum -a 256 debian-$VERSION-amd64-i386-netinst.iso` SHA256SUMS

If the command above returns nothing it means the hash wasn’t found in the manifest named SHA256SUMS and probably the file was modified after its creation.