How to verify authenticity of downloaded Debian ISO images

How to verify authenticity of downloaded Debian ISO images
This tutorial explains how to verify that your download is correct and exactly what has been created by Debian.

UPDATE - 2018-03-10: The Debian team released the fourth update of its stable distribution Debian 9 (codename stretch).

When you download an official release of Debian ISO image, you can use the signed checksum files that come with it to validate that the images you download are correct.

Basically you want to check two things:

  • that the checksum file has not been tampered with, and
  • that the ISO image checksum matches the one expected from the checksum file

Here I will explain to you how to do these checks by using sha512sum and gpg tools.

Download a Debian ISO image

Download the ISO image and its signed checksum files from one of the registered mirrors, note that some mirrors may not be up to date, in this case you can use the primary CD image server.

$ wget -c https://cdimage.debian.org/debian-cd/9.4.0-live/amd64/iso-hybrid/debian-live-9.4.0-amd64-gnome.iso
$ wget https://cdimage.debian.org/debian-cd/9.4.0-live/amd64/iso-hybrid/SHA512SUMS
$ wget https://cdimage.debian.org/debian-cd/9.4.0-live/amd64/iso-hybrid/SHA512SUMS.sign

First, you verify the authenticity of the actual SHA512SUMS checksum file which will be used to verify the content of the Debian ISO image.

Import Debian public key

Probably the Debian CD public key is not available on your system, so try first to verify the signature.

$ gpg --verify SHA512SUMS.sign
gpg: assuming signed data in `SHA512SUMS'
gpg: Signature made Sun 18 Jun 2017 02:32:31 CEST using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found

If you see the message gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" then you already have the Debian public key, otherwise you need to download it from the Debian keyring server.

From the output of the previous command command you can get the ID of the public key to import which in this case is 6294BE9B, so import the key with this command.

$ gpg --keyserver keyring.debian.org --recv 6294BE9B
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2021-01-25
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Validate the checksum file

Now you can check that the checksum file has not been tampered by verifying the signature and it should be a good one.

$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sun 18 Jun 2017 02:32:31 CEST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

The last line show you the fingerprint of key used to sign the file, you can compare it with the ones listed at https://www.debian.org/CD/verify page, which includes a list of the fingerprints for the keys that have been used for Debian releases in recent years.

Verify ISO image content

Finally you can check that that the ISO image checksum matches the one expected from the checksum file, for use this command.

$ sha512sum -c SHA512SUMS 2>/dev/null | grep debian-live-9.4.0-amd64-gnome.iso

debian-live-9.4.0-amd64-gnome.iso: OK

Now, you are ready to use your Debian.

Danilo