Download the ISO CD 1 image as well as the signed checksum files (for verification) from the cdimage site. I opted to use the first CD image which we will later burn into the USB thumbdrive as installation media.
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/debian-7.4.0-amd64-CD-1.iso $ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/SHA512SUMS $ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/SHA512SUMS.sign
Due to recent exposure to keysigning, is a good practice validate the ISO image using the checksum tool and verify the authenticity of the ISO image. It took me a while of googling to find the proper step-by-step guide (in Chinese but the instructions are quite obvious) to validate and verify the downloaded iso images. Funny how the official documentation does not even has these instruction.
First, let's verify the checksum file to confirm this image was built by the authorized people. As the error message below shown, we're missing the public key to verify the signed checksum.
$ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Isnin 10 Feb 2014 02:31:31 MYT using RSA key ID 6294BE9B gpg: Can't check signature: public key not found
Find and add the required public key that signed this checksum file. We can obtain this public key from Debian's own key server. Take note of the last line where this key is still not fully valid or trustworthy enough according to the PGP trust model.
$ gpg --keyserver http://keyring.debian.org --recv-keys 6294BE9B gpg: requesting key 6294BE9B from hkp server http://keyring.debian.org gpg: key 6294BE9B: public key "Debian CD signing key
" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
To be safe, just to confirm the aforementioned public key had been added locally. The fingerprint shown below should exists in Debian CDs authentication and verification page.
$ gpg --fingerprint 6294BE9B pub 4096R/6294BE9B 2011-01-05 Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key
sub 4096R/11CD9819 2011-01-05
Let's verify our downloaded checksum file (SHA512SUMS) using the added Debian CD signing key file (SHA512SUMS.sign).
$ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Isnin 10 Feb 2014 02:31:31 MYT using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key
" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
However, as the message above indicates, the signature is valid but identify is unverified. Let's show the list of people who had signed this Debian CD signing key.
$ gpg --list-sigs 6294BE9B pub 4096R/6294BE9B 2011-01-05 uid Debian CD signing key
sig 1B3045CE 2011-01-07 [User ID not found] sig 3442684E 2011-01-05 [User ID not found] sig A40F862E 2011-01-05 [User ID not found] sig C542CD59 2011-01-05 [User ID not found] sig 63C7CC90 2011-01-05 [User ID not found] sig 3 6294BE9B 2011-01-05 Debian CD signing key sub 4096R/11CD9819 2011-01-05 sig 6294BE9B 2011-01-05 Debian CD signing key
Import these public key with their corresponding names and email addresses.
$ gpg --recv-keys 1B3045CE 3442684E A40F862E C542CD59 63C7CC90 $ gpg --list-sigs 6294BE9B pub 4096R/6294BE9B 2011-01-05 uid Debian CD signing key
sig 1B3045CE 2011-01-07 Colin Tuckley sig 3442684E 2011-01-05 Steve McIntyre sig A40F862E 2011-01-05 Neil McGovern sig C542CD59 2011-01-05 Adam D. Barratt sig 63C7CC90 2011-01-05 Simon McVittie sig 3 6294BE9B 2011-01-05 Debian CD signing key sub 4096R/11CD9819 2011-01-05 sig 6294BE9B 2011-01-05 Debian CD signing key
Alternatively, you can find the list of users that signed the public key 6294BE9B by using debian-keyring package.
$ sudo apt-get install debian-keyring $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B You can only verify the identity of the Debian CD signing through the concept of Web of Trust  by going through the list of people above either by signing their public key (which you've meet them in real life or trust them through fingerprint exchange) or ask them directly.
Lastly, let's check ISO image file for correctness and corruption.
$ sha512sum -c SHA512SUMS debian-7.4.0-amd64-CD-1.iso 2> /dev/null | grep debian-7.4.0-amd64-CD-1.iso debian-7.4.0-amd64-CD-1.iso: OK