Verifying digital signatures: Debian Linux

less than 1 minute read

The downloaded copy of the operating system must also have its digital signature verified before installation on a new host or virtual machine. To learn more read Verifying digital signatures.

To download and verify the digital signature of the most recent version of Debian Linux:

a) Go to https://cdimage.debian.org/debian-cd/current/$ARCH/iso-dvd/

b) Download to the same directory the files debian-$VERSION-$ARCH-DVD-1.iso (the first DVD image is enough for the usual installation), SHA256SUMS and SHA256SUMS.sign

$ARCH may be, among other options, ‘amd64’ or ‘i386’.

c) Verify the digital signature:

$ gpg --verify SHA256SUMS.sign

GPG output shows that the developer’s public key was automatically imported:

gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported

d) Look in the gpg output for:

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>