Discussion:
verify debian12 signature
(too old to reply)
Thomas Schmitt
2024-06-13 07:00:01 UTC
Permalink
Hi,
I have downloaded the latest version of debian12. I
have the GNU4win program with kleopatra but I don't know how to check the
digital signature.
Do i get it right that you have an MS-Windows system ?
(And that by "GNU4win" you mean "GPG4win" ?)

If so, you need a program to compute a SHA256 or SHA512 checksum from
the downloaded .iso file and a program to verify the corresponding
SHA*SUMS file by its SHA*SUMS.sign file.

I'm not a user of MS-Windows, so i cannot recommend any software for those
tasks. If no other way would be to see, i'd consider to install WSL
and to do the verification by its help.
https://wiki.debian.org/InstallingDebianOn/Microsoft/Windows/SubsystemForLinux

In a Debian provided shell i would then do:
gpg --verify SHA256SUMS.sign SHA256SUMS
which should yield one of the key fingerprints as listed on
https://www.debian.org/CD/verify
Important will be these result statements:
"Good signature from" ... "Debian" ...
"Primary key fingerprint:" ... one of the listed fingerprints ...

Then i'd compute the SHA256 of the .iso file
sha256sum debian-12.5.0-amd64-netinst.iso
and compare it with the checksum string which is listed for the .iso file
in SHA256SUMS.

--------------------------------------------------------------------
Alternative ideas:

Maybe you can perform the .sign check similar to what
https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/checking-gpg-signature-windows.html
proposes for "mysql-installer-community-5.7.44.msi" as payload file
(yours would be SHA256SUMS) and "mysql-installer-community-5.7.44.msi.asc"
as detached signature file (yours: SHA256SUMS.sign).

This page
https://3d-imaging.co.uk/blog/verifying-sig-files-with-gpgp4win/
states that GPG4win would offer the command line tool to run
gpg --verify gpg4win*.exe.sig gpg4win*.exe
(You'd just use file names SHA256SUMS.sign SHA256SUMS instead.)

As for computing the SHA256 sum of the .iso, i find on
https://www.pctipp.ch/praxis/windows-10/windows-10-sha256-hash-bordmitteln-pruefen-2507915.html
a proposal for PowerShell, which in your case would look like:
Get-Filehash debian-12.5.0-amd64-netinst.iso -Algorithm SHA256


Have a nice day :)

Thomas
Franco Martelli
2024-06-13 19:30:01 UTC
Permalink
Post by Thomas Schmitt
Then i'd compute the SHA256 of the .iso file
sha256sum debian-12.5.0-amd64-netinst.iso
and compare it with the checksum string which is listed for the .iso file
in SHA256SUMS.
The comparison can be done directly by "sha256sum" command using the
"-c" option. Download both .iso and SHA256SUMS files in the same
directory then use this command:

~$ sha256sum --ignore-missing -c SHA256SUMS
debian-12.5.0-amd64-DVD-1.iso: OK

Cheers,
--
Franco Martelli
Franco Martelli
2024-06-14 19:50:01 UTC
Permalink
I'm sorry but it's complicated. Do you know anyone who can remotely
connect with me to guide me?
------------------------------------------------------------------------
*Enviado:* jueves, 13 de junio de 2024 19:19
*Asunto:* Re: verify debian12 signature
Post by Thomas Schmitt
Then i'd compute the SHA256 of the .iso file
    sha256sum debian-12.5.0-amd64-netinst.iso
and compare it with the checksum string which is listed for the .iso file
in SHA256SUMS.
The comparison can be done directly by "sha256sum" command using the
"-c" option. Download both .iso and SHA256SUMS files in the same
~$ sha256sum --ignore-missing -c SHA256SUMS
debian-12.5.0-amd64-DVD-1.iso: OK
Cheers,
No, of course I don't know anyone who can help you.
However if you aren't comfortable with the CLI (Command Line Interface)
and you want to install Debian on your PC then you need a friend that
already did that *or* you need a book to start with.

You can find a friend looking for a LUG (Linux User Group) near to the
town where you live. e.g. in Google search for: "linux user group Spain"
or "linux user group Madrid"

You can read this book:
https://lescahiersdudebutant.arpinux.org/bookworm-en/

or if you like to go further, this:
https://debian-handbook.info/browse/stable/index.html

There are also the on-line Debian's docs suitable for beginners:
https://www.debian.org/doc/

Good luck!
--
Franco Martelli
Andrew M.A. Cater
2024-06-14 20:20:01 UTC
Permalink
Post by Franco Martelli
I'm sorry but it's complicated. Do you know anyone who can remotely
connect with me to guide me?
Existe tambien la lista de correos debian-user-spanish

https://lists.debian.org/debian-user-spanish/2024/06/threads.html

y el sitio Debian en castellano.

https://www.debian.org/index.es.html

Andy

[Pointing to Debian user spanish and Debian site in Spanish

(and top posting for speed and because the poster is using gmail).
Post by Franco Martelli
------------------------------------------------------------------------
*Enviado:* jueves, 13 de junio de 2024 19:19
*Asunto:* Re: verify debian12 signature
Post by Thomas Schmitt
Then i'd compute the SHA256 of the .iso file
    sha256sum debian-12.5.0-amd64-netinst.iso
and compare it with the checksum string which is listed for the .iso file
in SHA256SUMS.
The comparison can be done directly by "sha256sum" command using the
"-c" option. Download both .iso and SHA256SUMS files in the same
~$ sha256sum --ignore-missing -c SHA256SUMS
debian-12.5.0-amd64-DVD-1.iso: OK
Cheers,
No, of course I don't know anyone who can help you.
However if you aren't comfortable with the CLI (Command Line Interface) and
you want to install Debian on your PC then you need a friend that already
did that *or* you need a book to start with.
You can find a friend looking for a LUG (Linux User Group) near to the town
where you live. e.g. in Google search for: "linux user group Spain" or
"linux user group Madrid"
https://lescahiersdudebutant.arpinux.org/bookworm-en/
https://debian-handbook.info/browse/stable/index.html
https://www.debian.org/doc/
Good luck!
--
Franco Martelli
Loading...