Due to unforeseen reason, I need to revive back my unused server and install
Debian 7 (Wheezy), the latest stable version on it. It has been a while since I last use Debian as my primary GNU/Linux distro compare to its siblings, Ubuntu. Some notes regarding the installation procedure.
Download the
ISO CD 1 image as well as the signed checksum files (for verification) from the cdimage site. I opted to use the first CD image which we will later burn into the USB thumbdrive as installation media.
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/debian-7.4.0-amd64-CD-1.iso
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/SHA512SUMS
$ wget http://cdimage.debian.org/debian-cd/7.4.0/amd64/iso-cd/SHA512SUMS.sign
Due to recent exposure to
keysigning, is a good practice validate the ISO image using the checksum tool and verify the authenticity of the ISO image. It took me a while of googling to find the proper
step-by-step guide (in Chinese but the instructions are quite obvious) to validate and verify the downloaded iso images. Funny how the
official documentation does not even has these instruction.
First, let's verify the checksum file to confirm this image was built by the authorized people. As the error message below shown, we're missing the public key to verify the signed checksum.
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Isnin 10 Feb 2014 02:31:31 MYT using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
Find and add the required public key that signed this checksum file. We can obtain this public key from
Debian's own key server. Take note of the last line where this key is still not fully valid or trustworthy enough according to the
PGP trust model.
$ gpg --keyserver http://keyring.debian.org --recv-keys 6294BE9B
gpg: requesting key 6294BE9B from hkp server http://keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
To be safe, just to confirm the aforementioned public key had been added locally. The fingerprint shown below should exists in
Debian CDs authentication and verification page.
$ gpg --fingerprint 6294BE9B
pub 4096R/6294BE9B 2011-01-05
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
uid Debian CD signing key
sub 4096R/11CD9819 2011-01-05
Let's verify our downloaded checksum file (SHA512SUMS) using the added Debian CD signing key file (SHA512SUMS.sign).
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Isnin 10 Feb 2014 02:31:31 MYT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
However, as the message above indicates, the signature is valid but identify is unverified. Let's show the list of people who had signed this Debian CD signing key.
$ gpg --list-sigs 6294BE9B
pub 4096R/6294BE9B 2011-01-05
uid Debian CD signing key
sig 1B3045CE 2011-01-07 [User ID not found]
sig 3442684E 2011-01-05 [User ID not found]
sig A40F862E 2011-01-05 [User ID not found]
sig C542CD59 2011-01-05 [User ID not found]
sig 63C7CC90 2011-01-05 [User ID not found]
sig 3 6294BE9B 2011-01-05 Debian CD signing key
sub 4096R/11CD9819 2011-01-05
sig 6294BE9B 2011-01-05 Debian CD signing key
Import these public key with their corresponding names and email addresses.
$ gpg --recv-keys 1B3045CE 3442684E A40F862E C542CD59 63C7CC90
$ gpg --list-sigs 6294BE9B
pub 4096R/6294BE9B 2011-01-05
uid Debian CD signing key
sig 1B3045CE 2011-01-07 Colin Tuckley
sig 3442684E 2011-01-05 Steve McIntyre
sig A40F862E 2011-01-05 Neil McGovern
sig C542CD59 2011-01-05 Adam D. Barratt
sig 63C7CC90 2011-01-05 Simon McVittie
sig 3 6294BE9B 2011-01-05 Debian CD signing key
sub 4096R/11CD9819 2011-01-05
sig 6294BE9B 2011-01-05 Debian CD signing key
Alternatively, you can find the list of users that signed the public key 6294BE9B by using
debian-keyring package.
$ sudo apt-get install debian-keyring
$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
You can only verify the identity of the Debian CD signing through the concept
of Web of Trust [7] by going through the list of people above either by signing
their public key (which you've meet them in real life or trust them through
fingerprint exchange) or ask them directly.
Lastly, let's check ISO image file for correctness and corruption.
$ sha512sum -c SHA512SUMS debian-7.4.0-amd64-CD-1.iso 2> /dev/null | grep debian-7.4.0-amd64-CD-1.iso
debian-7.4.0-amd64-CD-1.iso: OK