Verifying Debian ISOs downloaded from the web

Posted on 2016-04-14

Recently one of the popular GNU/Linux distro called “Linux Mint” had its ISO installer images compromised. A joe user who downloaded the image and installed the system, thinking “any GNU/Linux system must be secure than windows” would have paid the price! The joe user can be me on a busy day when I badly want a Unix system going to get some work done. It could be anyone. This situation can be easily avoided.

Any public software downloads should be verified. When you install a package, it is verified for hashes by the package manager. But hashes themselves are not enough. The package manager also verifies the signature of the Package metadata which is signed by GPG keys. Unless these keys are verified, one is in an illusion of security. Some of the distros like Debian takes these things very seriously. Some don’t.

What about the ISOs you download for the installation of GNU/Linux?

Debian has a Verify page which is very cryptic and assumes that the user knows how to use GPG. In practice, verification is really easy.

Suppose you downloaded the Debian ‘testing’ weekly image. The above page gives the public key of the weekly image as 09EA8AC3. First thing is to download the public keys in your key ring.

$ gpg --recv-keys 09EA8AC3 --keyserver keyring.debian.org

This produces the output:

gpg: "--keyserver" not a key ID: skipping
gpg: "keyring.debian.org" not a key ID: skipping
gpg: requesting key 09EA8AC3 from hkp server pgp.mit.edu
gpg: key 09EA8AC3: "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Now, download the files SHA256SUMS and SHA256SUMS.gpg and do:

$ gpg --verify SHA256SUMS.sign SHA256SUMS

… and this produces the following output:

gpg: Signature made Monday 11 April 2016 12:43:13 PM IST using RSA key ID 09EA8AC3
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3

Now, carefully read and make sure the fingerprint match the one given in the above page.

This verifies that the signature corresponds to the supplied plain text file. Now we are sure that the SHA256SUMS file has really come from the Debian project and one can verify the sha256sum of the file downloaded and see if it matches the one that corresponds to the file in the SHA256SUMS file.