Debian – How to verify Debian ISO integrity

checksumdebianintegrity

I recently downloaded Debian 7.5.0 Wheezy and managed to use the Release.sig signature to verify the integrity of the Release checksum file using GPG4Win. Unfortunately, I couldn't find any advice on where to find the md5/SHA1/SHA256 checksum inside the Release file to verify that the ISO is correct/hasn't been corrupted/manipulated. Couldn't find any help regarding this specific problem on the support sites either. I am using Windows 7 if this is relevant.

Edit: The name of my ISO file is "debian-7.5.0-amd64-netinst". Other versions can be found here (ftp://cdimage.debian.org/cdimage/release/7.5.0-live/amd64/iso-hybrid/) and offer an easier way to verify the integrity because of this file: ftp://cdimage.debian.org/cdimage/release/7.5.0-live/amd64/iso-hybrid/SHA256SUMS. I need to find something like this in the Release file I verified.

Best Answer

You need to verify that the hash matches the downloaded image, and then verify that the hash was signed by an official Debian key - as explained in this blog post.

Download your CD image, a SHA 512 hash, and the hash signature. It doesn't matter where you get them from, because of the signature that we'll verify below. But you can get it from debian.org.

Verify that the hash matches the image (neither of these commands should print anything):

$ sha512sum debian-8.3.0-amd64-i386-netinst.iso > my_hash.txt
$ diff -q my_hash.txt SHA512SUMS.txt

Verify the hash is properly signed. You'll probably have to do it twice: once to get the key ID, and again after you have downloaded the public key. The command output should look a lot like this:

$ gpg --verify SHA512SUMS.sign.txt SHA512SUMS.txt
gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
$ gpg --keyserver keyring.debian.org --recv 6294BE9B
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ gpg --verify SHA512SUMS.sign.txt SHA512SUMS.txt
gpg: Signature made Mon 25 Jan 2016 05:08:46 AEDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

Verify that the key fingerprint (the last printed line) is legitimate. Ideally, you should do this via a web of trust. However you can check the key fingerprint against the keys listed on Debian's secure web site (HTTPS).

Related Solutions

Linux – How to take sha-1, sha-256 or MD5 of CDs / DVDs

In addition to Gilles answer,

If you still have the ISO image, you could use cmp instead of checksums. It would tell you at which byte the difference happens. It would also make the check faster as if there is an error early on, it would tell you right away, whereas the checksum always has to read the entire media.

$ cmp /dev/cdrom /path/to/cdrom.iso

In case of error it should print something like this

/dev/cdrom /path/to/cdrom.iso differ, byte 123456789, line 42

In case it's correct it should print nothing, or this:

cmp: EOF on /path/to/cdrom.iso

Which means there is more data on /dev/cdrom than in the ISO, most likely zero-padding.

Even before starting any comparisons, you could check the size.

$ blockdev --getsize64 /dev/cdrom
123456999
$ stat -c %s /path/to/cdrom.iso
123456789

If it's identical, the checksum should match also. If /dev/cdrom is larger, it should be zero padded at the end. You could check that with hexdump. Use the ISO size for the -s parameter.

$ hexdump -s 15931539256 -C /dev/cdrom
3b597ff38  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
3b597fff8  00 00 00 00 00 00 00 00                           |........|

hexdump is also useful for having a look at difference at any other position in a file, in case a damage was caused deliberately by something.

Debian – CLI tool to parse/read and show the metadata from a torrent file

transmission has a tool for that

$ transmission-show debian-stretch-DI-rc1-amd64-netinst.iso.torrent 
Name: debian-stretch-DI-rc1-amd64-netinst.iso
File: debian-stretch-DI-rc1-amd64-netinst.iso.torrent

GENERAL

  Name: debian-stretch-DI-rc1-amd64-netinst.iso
  Hash: 13d51b233d37965a7137dd65858d73c5a2e7ded4
  Created by: 
  Created on: Fri Jan 13 12:29:09 2017
  Comment: "Debian CD from cdimage.debian.org"
  Piece Count: 1184
  Piece Size: 256.0 KiB
  Total Size: 310.4 MB
  Privacy: Public torrent

TRACKERS

  Tier #1
  http://bttracker.debian.org:6969/announce

FILES

  debian-stretch-DI-rc1-amd64-netinst.iso (310.4 MB)

Another one would be intermodal which besides showing metadata can also create and verify it: https://rodarmor.com/blog/intermodal

Best Answer

Related Solutions

Linux – How to take sha-1, sha-256 or MD5 of CDs / DVDs

Debian – CLI tool to parse/read and show the metadata from a torrent file

Related Question