The downloaded copy of the operating system must also have its digital signature verified before installation on a new host or virtual machine. Because the majority of examples here at the Stakey Club use Debian Linux, this article will show how to verify a Debian Linux image before installation. To learn more read Verifying digital signatures.
Learn more about Debian Verifier, a shell script for macOS and Linux that automates the digital signature verification process.
To download and verify the digital signature and hashes of the most recent version of Debian Linux:
a) Go to https://cdimage.debian.org/debian-cd/current/$ARCH/iso-dvd/. If you’d rather download a smaller image, containing only the Debian core packages, go to https://cdimage.debian.org/cdimage/release/current/multi-arch/iso-cd/. The packages not included in ‘netinst’ image but selected during the installation will be downloaded from the Internet.
$ARCH may be, among other options, ‘amd64’ or ‘i386’.
b) Download to the same directory the files
debian-$VERSION-$ARCH-DVD-1.iso (the first DVD image is enough for the usual installation),
SHA256SUMS.sign. If you’d rather download the smaller image, named ‘netinst’, look for the file named
debian-$VERSION-amd64-i386-netinst.iso and also download files
SHA256SUMS.sign from the same folder.
c) Verify the digital signature:
$ gpg --verify SHA256SUMS.sign
GPG output shows that the developer’s public key was automatically imported:
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <email@example.com>" imported
If the key wasn’t automatically imported, it will be necessary to manually import the keys shown at web page https://www.debian.org/CD/verify and issue the same command after that.
$ gpg --keyserver keyring.debian.org --recv-keys 0x64E6EA7D 0x6294BE9B 0x09EA8AC3
d) Look in the gpg output for:
gpg: Good signature from "Debian CD signing key <firstname.lastname@example.org>
e) To generate the hash and compare it with the hashes inside the manifest
$ grep `sha256sum debian-$VERSION-$ARCH-DVD-1.iso` SHA256SUMS or $ grep `sha256sum debian-$VERSION-amd64-i386-netinst.iso` SHA256SUMS
$ grep `shasum -a 256 debian-$VERSION-$ARCH-DVD-1.iso` SHA256SUMS or $ grep `shasum -a 256 debian-$VERSION-amd64-i386-netinst.iso` SHA256SUMS
If the command above returns nothing it means the hash wasn’t found in the manifest named
SHA256SUMS and probably the file was modified after its creation.