Debian 7 Installation : Part 1 - ISO Image Verification

Due to unforeseen reason, I need to revive back my unused server and install Debian 7 (Wheezy), the latest stable version on it. It has been a while since I last use Debian as my primary GNU/Linux distro compare to its siblings, Ubuntu. Some notes regarding the installation procedure.

Download the ISO CD 1 image as well as the signed checksum files (for verification) from the cdimage site. I opted to use the first CD image which we will later burn into the USB thumbdrive as installation media.
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/debian-7.4.0-amd64-CD-1.iso
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/SHA512SUMS
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/SHA512SUMS.sign

Due to recent exposure to keysigning, is a good practice validate the ISO image using the checksum tool and verify the authenticity of the ISO image. It took me a while of googling to find the proper step-by-step guide (in Chinese but the instructions are quite obvious) to validate and verify the downloaded iso images. Funny how the official documentation does not even has these instruction.

First, let's verify the checksum file to confirm this image was built by the authorized people. As the error message below shown, we're missing the public key to verify the signed checksum.
$ gpg --verify SHA512SUMS.sign SHA512SUMS

gpg: Signature made Isnin 10 Feb 2014 02:31:31  MYT using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found

Find and add the required public key that signed this checksum file. We can obtain this public key from Debian's own key server. Take note of the last line where this key is still not fully valid or trustworthy enough according to the PGP trust model.
$ gpg --keyserver http://keyring.debian.org --recv-keys 6294BE9B

gpg: requesting key 6294BE9B from hkp server http://keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

To be safe, just to confirm the aforementioned public key had been added locally. The fingerprint shown below should exists in Debian CDs authentication and verification page.
$ gpg --fingerprint 6294BE9B                                                                                                                                        
pub   4096R/6294BE9B 2011-01-05
Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key 
sub   4096R/11CD9819 2011-01-05

Let's verify our downloaded checksum file (SHA512SUMS) using the added Debian CD signing key file (SHA512SUMS.sign).
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Isnin 10 Feb 2014 02:31:31  MYT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

However, as the message above indicates, the signature is valid but identify is unverified. Let's show the list of people who had signed this Debian CD signing key.
$ gpg --list-sigs 6294BE9B
pub   4096R/6294BE9B 2011-01-05
uid                  Debian CD signing key 
sig          1B3045CE 2011-01-07  [User ID not found]
sig          3442684E 2011-01-05  [User ID not found]
sig          A40F862E 2011-01-05  [User ID not found]
sig          C542CD59 2011-01-05  [User ID not found]
sig          63C7CC90 2011-01-05  [User ID not found]
sig 3        6294BE9B 2011-01-05  Debian CD signing key 
sub   4096R/11CD9819 2011-01-05
sig          6294BE9B 2011-01-05  Debian CD signing key 

Import these public key with their corresponding names and email addresses.
$ gpg --recv-keys 1B3045CE 3442684E A40F862E C542CD59 63C7CC90
$ gpg --list-sigs 6294BE9B

pub   4096R/6294BE9B 2011-01-05
uid                  Debian CD signing key 
sig          1B3045CE 2011-01-07  Colin Tuckley 
sig          3442684E 2011-01-05  Steve McIntyre 
sig          A40F862E 2011-01-05  Neil McGovern 
sig          C542CD59 2011-01-05  Adam D. Barratt 
sig          63C7CC90 2011-01-05  Simon McVittie 
sig 3        6294BE9B 2011-01-05  Debian CD signing key 
sub   4096R/11CD9819 2011-01-05
sig          6294BE9B 2011-01-05  Debian CD signing key 

Alternatively, you can find the list of users that signed the public key 6294BE9B by using debian-keyring package.
$ sudo apt-get install debian-keyring
$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B

You can only verify the identity of the Debian CD signing through the concept
of Web of Trust [7] by going through the list of people above either by signing
their public key (which you've meet them in real life or trust them through
fingerprint exchange) or ask them directly.

Lastly, let's check ISO image file for correctness and corruption.
$ sha512sum -c SHA512SUMS debian-7.4.0-amd64-CD-1.iso 2> /dev/null | grep debian-7.4.0-amd64-CD-1.iso
debian-7.4.0-amd64-CD-1.iso: OK

No comments:

Post a Comment