Can't Complete *.iso verification
I am trying to verify a debian iso. I would like to have an official hkp address so that I can verify debian 8..5 lxde amdx64 file authenticity and integrity. I have succeeded with the address eu.pool.sks-keyservers.net, but this is not an official debian url. Specifically I am executing the following commands from terminal:
Code:
gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B
gpg: requesting key 6294BE9B from hkp server eu.pool.sks-keyservers.net
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Notice how this fails with 1)
https://keyring.debian.org and 2)
debian-cd@lists.debian.org :
Fail msg 1)
Code:
$ gpg --keyserver https://keyring.debian.org --recv-keys 0x6294BE9B
gpg: requesting key 6294BE9B from https server keyring.debian.org
gpgkeys: protocol 'https' not supported
gpg: no handler for keyserver scheme 'https'
gpg: keyserver receive failed: keyserver error
Fail msg 2)
Code:
$ gpg --keyserver debian-cd@lists.debian.org --recv-keys 0x6294BE9Bgpg: requesting key 6294BE9B from hkp server lists.debian.org?: lists.debian.org: Network is unreachablegpgkeys: HTTP fetch error 7: could not connect: Network is unreachable
gpg: no valid OpenPGP data found.gpg: Total number processed: 0
I am implementing the Verify ISO tutorial procedure found
https://help.ubuntu.com/community/VerifyIsoHowto.
Procedure outline:
A) Download SHA256SUMS and SHA256SUMS.gpg from
http://cdimage.debian.org/debian-cd/...64/iso-hybrid/
B) Get the key
. 1) Display what key was used to issue the signature
Code:
$ gpg --verify SHA256SUMS.sign SHA256SUMS
. 2) Obtain the public key from the Ubuntu key server
To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:
Code:
$ gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B
. 3) Verify the key fingerprints:
Code:
$ gpg --list-keys --with-fingerprint 0x6294BE9B
C) Verify the signature
Code:
$ gpg --verify SHA256SUMS.sign SHA256SUMS
D) Check the ISO
Code:
$ sha256sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA256SUMS)
. This step really seems pointless. I have already checked the man pages for sha256sum and even commonly use the grep command, but I still am not clear what the hell this command is doing! More specifically, it can only be logical to have a command "cmd1" that checks two things against each other, thus commands should look like
Code:
cmd1 -option original new
or like the above two gpg commands
Code:
$ gpg --list-keys --with-fingerprint 0x6294BE9B
$ gpg --verify SHA256SUMS.sign SHA256SUMS
< gpg (option) file1 file2 >
But the above "sha256sum -c <(grep..." line makes no sense since it is never specified what file it is checking the first checksum (debian-live-8.5.0-amd64-lxde-desktop.iso) against. It is just like an incomplete sentence. I really need help understanding sha256sum syntax and just what processes sha256sum is actually doing.
E) Burn iso to media
F) Check media drive still has same (
https://help.ubuntu.com/community/HowToSHA256SUM)
Code:
$ sudo fdisk -l (lookup location of burnt iso media)
$ sudo sha256sum /dev/sdc1
Does Debian even have its own hkp website? Does anyone have a better way of verifying *.iso files?