Discussion:
General questions
(too old to reply)
타토카
2024-07-08 17:30:02 UTC
Permalink
Hello, dear Debian Community. I have several questions:
1. Are all subscriptions to Debian free?
2. How to check Debian Image Authentication? Is checksum verification
(sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?
Greg Wooledge
2024-07-08 17:40:01 UTC
Permalink
Post by 타토카
1. Are all subscriptions to Debian free?
Debian is Free Software. You are allowed to download it, in both binary
and source forms, without requiring a subscription, or a license, other
than the Free Software licenses that apply to each part of Debian.

There are a few different Free Software licenses, and mostly they just
reaffirm your rights to use and to distribute the software. One of
them, the GNU General Public License, prevents you from placing any
additional restrictions on the software if you distribute it to other
people. (If you aren't distributing the software to other people, then
none of this matters to you.)

If you want to pay for support, there are some companies who might provide
such a service, but those would be independent of Debian.
Post by 타토카
2. How to check Debian Image Authentication? Is checksum verification
(sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?
https://www.debian.org/CD/verify
t***@tuxteam.de
2024-07-08 17:50:02 UTC
Permalink
Post by 타토카
1. Are all subscriptions to Debian free?
2. How to check Debian Image Authentication? Is checksum verification
(sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?
Most of your questions are addressed here:

https://www.debian.org/

Yes, Debian is a free operating system, meaning that you are allowed
to use, modify and give the software to others, as long as you limit
yourself to the "free" repository. Other licenses may apply to the
"non-free" section.

Here's how you verify downloaded installation media:

https://www.debian.org/CD/verify

Packaes are signed, the package manager takes care of verifying their
signatures before install:

https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

Enjoy
--
tomás
Dan Ritter
2024-07-08 18:00:01 UTC
Permalink
Post by 타토카
1. Are all subscriptions to Debian free?
Yes. There are non-Debian businesses which can sell you support,
if you like, but Debian software is all free.
Post by 타토카
2. How to check Debian Image Authentication? Is checksum verification
(sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?
Verify a downloaded image with the checksum:

https://www.debian.org/CD/verify

After that, package updates from Debian HTTPS sources will be
good.

-dsr-
Thomas Schmitt
2024-07-08 18:10:01 UTC
Permalink
Hi,
Post by 타토카
2. How to check Debian Image Authentication?
Is checksum verification (sha216sum, sha512sum) enough?
Only if you are trusting the site from where you downloaded the ISO.
In that case you'd use the checksums in the files SHA256SUMS and
SHA512SUMS as mere control whether the download delivered what the server
operators intended.
Post by 타토카
Should I verify with GPG?
The signatures in the files SHA256SUMS.sign and SHA512SUMS.sign verify that
the checksums in SHA256SUMS and SHA512SUMS are authorized by the Debian
developers who are in charge of image production.

Verify them by e.g.

gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS

and look out for the text,

gpg: Good signature from "Debian CD signing key <debian-***@lists.debian.org>"
...
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

First occuruence of this fingerprint in my mailbox is Oct 10 2015.

On
https://www.debian.org/CD/verify
there are two more valid keys published which would yield:

gpg: Good signature from "Debian CD signing key <debian-***@lists.debian.org>"
Primary key fingerprint: 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D

gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-***@lists.debian.org>"
Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3

Both have their first occurence in my mailbox at Feb 16 2020.

If you see one of these texts, then you may assume the checksum files to
be valid (or the fingerprints to be undetected falsifications since years).
But if you see deviations in the fingerprint lines then this would be very
suspicious.


Have a nice day :)

Thomas
타토카
2024-07-08 19:20:02 UTC
Permalink
Thank you all for your answers.
1. But I mean subscriptions like this "debian-user":) But I really like
your answers about Debian's freedom. I think it is useful information.
Thanks.
2. I just have verified GPG's keys manually: https://keyring.debian.org/
2.1. I have downloaded SHA512 SUMS.sign SHA512SUMS from
https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/
2.2. I have done then: gpg --keyserver keyring.debian.org --verify
SHA512SUMS.sign SHA512SUMS
2.3. Then I have got next info: Signed was made in 30 june 2024
And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
I have compared 2011 's key and mine and they are the same.
But is it a good idea to do that? Or do I need to download the open key and
then compare them?
And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do
the same actions with SHA216SUMS.sign and SHA216SUMS?
Post by Thomas Schmitt
Hi,
Post by 타토카
2. How to check Debian Image Authentication?
Is checksum verification (sha216sum, sha512sum) enough?
Only if you are trusting the site from where you downloaded the ISO.
In that case you'd use the checksums in the files SHA256SUMS and
SHA512SUMS as mere control whether the download delivered what the server
operators intended.
Post by 타토카
Should I verify with GPG?
The signatures in the files SHA256SUMS.sign and SHA512SUMS.sign verify that
the checksums in SHA256SUMS and SHA512SUMS are authorized by the Debian
developers who are in charge of image production.
Verify them by e.g.
gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS
and look out for the text,
gpg: Good signature from "Debian CD signing key <
...
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
First occuruence of this fingerprint in my mailbox is Oct 10 2015.
On
https://www.debian.org/CD/verify
gpg: Good signature from "Debian CD signing key <
Primary key fingerprint: 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <
Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
Both have their first occurence in my mailbox at Feb 16 2020.
If you see one of these texts, then you may assume the checksum files to
be valid (or the fingerprints to be undetected falsifications since years).
But if you see deviations in the fingerprint lines then this would be very
suspicious.
Have a nice day :)
Thomas
Greg Wooledge
2024-07-08 19:30:01 UTC
Permalink
Post by 타토카
Thank you all for your answers.
1. But I mean subscriptions like this "debian-user":) But I really like
your answers about Debian's freedom. I think it is useful information.
Thanks.
The debian-user mailing list is open to all who wish to contribute to it,
as long as they abide by the list's code of conduct. There is no fee
involved. On the other hand, any answers you get here are "use at your
own risk", as they are coming from random people on the Internet.
Thomas Schmitt
2024-07-08 20:00:01 UTC
Permalink
Hi,
    2.2. I have done then: gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS
    2.3. Then I have got next info: Signed was made in 30 june 2024
    And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
I have compared 2011 's key and mine and they are the same.
The key string looks good, indeed.
But is it a good idea to do that? Or do I need to download the open key and
then compare them?
It would suffice for me. If you know more ways to verify that the
signature belongs to Debian, then apply them. Just to be sure.
And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do
the same actions with SHA216SUMS.sign and SHA216SUMS?
It is general belief that faking a SHA-512 checksum is not feasible,
currently. Faking both, SHA-512 and SHA-256 would be even more difficult.
So check both and raise loud alarm if one matches and the other does not.


Have a nice day :)

Thomas
Andy Smith
2024-07-08 21:30:02 UTC
Permalink
Hi,
Post by 타토카
I mean subscriptions like this "debian-user"
The only cost associated with this mailing list is your sanity.

Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
gene heskett
2024-07-08 22:10:01 UTC
Permalink
Post by Andy Smith
Hi,
Post by 타토카
I mean subscriptions like this "debian-user"
The only cost associated with this mailing list is your sanity.
+1, Andy. Some of us get downright upset with the Karens that think they
run this all volunteer show. I've unfortunately come to the conclusion
they are best ignored. Generally, they don't seem to be members of a
civil society, or to be able to learn how to treat their fellow man.
Your monitoring, and howto corrections are much appreciated, thank you.
Post by Andy Smith
Thanks,
Andy
Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Andrew M.A. Cater
2024-07-08 23:10:01 UTC
Permalink
Post by Andy Smith
Hi,
Post by 타토카
I mean subscriptions like this "debian-user"
The only cost associated with this mailing list is your sanity.
+1, Andy. Some of us get downright upset with the Karens that think they run
this all volunteer show. I've unfortunately come to the conclusion they are
best ignored. Generally, they don't seem to be members of a civil society,
or to be able to learn how to treat their fellow man. Your monitoring, and
howto corrections are much appreciated, thank you.
Post by Andy Smith
Thanks,
Andy
All contributions by any Andy gratefully received on this list. There
are also all sorts of people contributing to - and reading - this list.
Sometimes, even the worst of the passers by and trolls improve.

Please don't stoop to characterising others too readily as you might
dissuade somebody from contributing who could be really valuable.

All the very best, as ever,

Andy
Cheers, Gene Heskett, CET.
--
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
gene heskett
2024-07-08 23:20:01 UTC
Permalink
Post by Andrew M.A. Cater
Post by Andy Smith
Hi,
Post by 타토카
I mean subscriptions like this "debian-user"
The only cost associated with this mailing list is your sanity.
+1, Andy. Some of us get downright upset with the Karens that think they run
this all volunteer show. I've unfortunately come to the conclusion they are
best ignored. Generally, they don't seem to be members of a civil society,
or to be able to learn how to treat their fellow man. Your monitoring, and
howto corrections are much appreciated, thank you.
Post by Andy Smith
Thanks,
Andy
All contributions by any Andy gratefully received on this list. There
are also all sorts of people contributing to - and reading - this list.
Sometimes, even the worst of the passers by and trolls improve.
Please don't stoop to characterising others too readily as you might
dissuade somebody from contributing who could be really valuable.
All quite true Andy. But you may have noted that I only speak up from
personal experience from having done it myself, not always in the
approved way.
Post by Andrew M.A. Cater
All the very best, as ever,
Andy
Take care & stay well, Andy.
Post by Andrew M.A. Cater
Cheers, Gene Heskett, CET.
--
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
.
Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
타토카
2024-07-10 22:10:02 UTC
Permalink
Hello, dear Debian Community.

I just wanted to check a key with GPG.

I have found this on https://www.debian.org/CD/verify:

pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC]

Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

uid Debian CD signing key <debian-***@lists.debian.org>


How can I download this key for GPG checking? Can I do next:

gpg --keyserver keyring.debian.org --recv-keys DA87E80D6294BE9B


If not, can you give an advice how to do it right?
Lee
2024-07-10 23:10:01 UTC
Permalink
Post by 타토카
Hello, dear Debian Community.
I just wanted to check a key with GPG.
pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC]
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
How can I download this key for GPG checking?
Click on the link, that takes you to
https://www.debian.org/CD/key-DA87E80D6294BE9B.txt
and save the file. Then gpg --import it

$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
<debian-***@lists.debian.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

hrmmm... 64 signatures not checked due to missing keys due to missing
keys doesn't look good, but you've got the key now.

I checked by going to
http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got
the SHA512SUMS and SHA512SUMS.sign files.
Verify them by

$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Jun 29 16:50:24 2024 EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key
<debian-***@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I
can verify.. somebody else hopefully knows how to get all the missing
keys and mark the DA87E80D6294BE9B key as trusted.

and for whatever it's worth, I use these aliases:
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '

Regards,
Lee
타토카
2024-07-11 11:50:01 UTC
Permalink
Why 64 signatures not checked and no ultimately trusted keys found here:
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
<debian-***@lists.debian.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

And this:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.

This is weird. Why Fedora does not have this, but Debian does.

And can you explain to me what is it, please?
Post by Lee
Post by 타토카
Hello, dear Debian Community.
I just wanted to check a key with GPG.
pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC]
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
How can I download this key for GPG checking?
Click on the link, that takes you to
https://www.debian.org/CD/key-DA87E80D6294BE9B.txt
and save the file. Then gpg --import it
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
hrmmm... 64 signatures not checked due to missing keys due to missing
keys doesn't look good, but you've got the key now.
I checked by going to
http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got
the SHA512SUMS and SHA512SUMS.sign files.
Verify them by
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Jun 29 16:50:24 2024 EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I
can verify.. somebody else hopefully knows how to get all the missing
keys and mark the DA87E80D6294BE9B key as trusted.
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
Regards,
Lee
타토카
2024-07-11 12:00:01 UTC
Permalink
And can you explain to me what is it, please? *

$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
Post by Lee
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This is weird. Why Fedora does not have this, but Debian does.
And can you explain to me what is it, please?
Post by Lee
Post by 타토카
Hello, dear Debian Community.
I just wanted to check a key with GPG.
pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC]
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
How can I download this key for GPG checking?
Click on the link, that takes you to
https://www.debian.org/CD/key-DA87E80D6294BE9B.txt
and save the file. Then gpg --import it
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
hrmmm... 64 signatures not checked due to missing keys due to missing
keys doesn't look good, but you've got the key now.
I checked by going to
http://mirror.us.leaseweb.net/debian-cd/12.6.0/amd64/iso-dvd/ and got
the SHA512SUMS and SHA512SUMS.sign files.
Verify them by
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Jun 29 16:50:24 2024 EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
so the contents of SHA512SUMS are trustworthy. Or as trustworthy as I
can verify.. somebody else hopefully knows how to get all the missing
keys and mark the DA87E80D6294BE9B key as trusted.
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
Regards,
Lee
Franco Martelli
2024-07-11 19:30:04 UTC
Permalink
Post by 타토카
And can you explain to me what is it, please? *
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
Since you are asking this question maybe you don't know that after
verified the authenticity of SHA512SUMS.sign SHA512SUMS files you must
use the file SHA512SUMS to verify the authenticity of the .iso files you
will download.

If you open SHA512SUMS in an editor you see a list of checksum that they
belong to respective .iso or .torrent files.

Recently I downloaded the "debian-12.6.0-amd64-DVD-1.iso" iso image
using a .torrent file. After downloaded the .torrent file place it
together SHA512SUMS in the same directory, then verify the authenticity
with the command:

$ sha512sum --ignore-missing -c SHA512SUMS
debian-12.6.0-amd64-DVD-1.iso.torrent: OK

Now you are ready to download the .iso, open the .torrent file in your
favorite Torrent client and start the download, then check the
authenticity of the .iso with exactly the same command:

$ sha512sum --ignore-missing -c SHA512SUMS
debian-12.6.0-amd64-DVD-1.iso: OK

This step might take a while, so be patient, after done that you are
ready to burn a DVD, copy the .iso to an USB key, install to a virtual
machine… but this is another story ^_^

Cheers,
--
Franco Martelli
Lee
2024-07-11 20:00:01 UTC
Permalink
Post by 타토카
And can you explain to me what is it, please? *
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
It's a way of getting sha sums for a file. I've been carrying those
in my .bashrc file for ages.. I don't remember if I didn't know about
the sha1sum program or it didn't exist in cygwin at the time, but I
found a method that worked and quit looking. By now it's "muscle
memory" -- like returning from vacation and not being able to remember
your password, but go down to the cafeteria, get a cup of coffee,
return to your desk, turn your PC on and enter your password without
thinking. I found a method that worked and don't think about it any
more. You probably should use the sha1sum, sha256sum, sha512sum
programs though - if only to reduce confusion when you're talking to
other people :)

Regards
Lee

Greg Wooledge
2024-07-11 12:00:01 UTC
Permalink
Post by Lee
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Because you haven't established a chain of trust from yourself to any
of the signatures.

You've downloaded this key from the Internet. And it's signed by 64
other keys. That's all you know. You have no idea whether any of those
64 signing keys are trustworthy.

At some point, you have to say "This is good enough." And then you move
on with your life, either installing Debian from the image that you have,
or not.

You've already done far more verification than most people do.
타토카
2024-07-11 12:30:01 UTC
Permalink
Ok, I think this is really enough for verification ( Maybe (^_^) ).
But, what do you mean: "Because you haven't established a chain of trust
from yourself to any of the signatures."
Is it only for Debian developers? And is it very important?
Post by Greg Wooledge
Post by Lee
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Because you haven't established a chain of trust from yourself to any
of the signatures.
You've downloaded this key from the Internet. And it's signed by 64
other keys. That's all you know. You have no idea whether any of those
64 signing keys are trustworthy.
At some point, you have to say "This is good enough." And then you move
on with your life, either installing Debian from the image that you have,
or not.
You've already done far more verification than most people do.
Thomas Schmitt
2024-07-11 12:40:01 UTC
Permalink
Hi,
Post by Lee
gpg: WARNING: This key is not certified with a trusted signature!
That's normal. The concept of a "web of trust" suffers from the fact
that most people which i know good enough to trust them in general
have no idea of PGP and thus are not really trustworthy in special.
https://en.wikipedia.org/wiki/Web_of_trust

The best verification you can get outside the web of trust is the
key fingerprint which must match one of the published fingerprints on
https://www.debian.org/CD/verify
I deem them trustworthy because they did not change in years.

(Cryptographers might object that old keys are poor keys. But they will
also be right with telling you that cryptography is a minefield and thus
amateurs like us should stay away from it.)
Post by Lee
And can you explain to me what is it, please?
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '
Shell commands "sha1", "sha256", and "sha512" were somewhere defined to
actually be runs of program /usr/bin/openssl with the checksum algorithms
given by the command names.

Usually people get told to use shell commands "sha256sum" and "sha512sum"
which are supposed to run the programs /usr/bin/sha256sum and
/usr/bin/sha512sum from package "coreutils".

In order to find out from where the "alias" definitions stem, you will
have to check the startup scripts of your shell. Like ~/.bashrc .


Have a nice day :)

Thomas
Greg Wooledge
2024-07-11 12:40:01 UTC
Permalink
Post by 타토카
But, what do you mean: "Because you haven't established a chain of trust
from yourself to any of the signatures."
Imagine someone walks up to you on the street and hands you a contract,
which is signed by someone you've never heard of.

You don't know the guy who gave you the contract. You've never seen him
before. So, you don't trust him.

You can do a little bit of research on the person whose signature is on
the contract. Maybe she's famous. You look her up on the Internet, and
it turns out that she's well known in certain circles. If her signature
is on this contract, then the contract is probably worth something.

But how do you know whether this is really her signature, or a forgery?

If you knew her in person, you could go to her office, ask her to sign
something in your presence, and compare her signature to the one you see
on the contract.

But you don't know her in person. She lives really far away, and she's
too important and too busy to want to spend a lot of time signing blank
pieces of paper for people like you anyway.

But maybe you know someone who knows her. Your lawyer friend -- maybe
he's worked with her before. He might know what her signature looks
like. He might be able to tell you whether the signature on the contract
is valid.

So, you go to your lawyer friend, and you show him the contract, and
he says "Yeah, that looks legit."

Now you know what her signature looks like, or at least you've got
verification from a source that you trust.
Post by 타토카
Is it only for Debian developers? And is it very important?
In theory, anybody can attend a key signing party, and get in-person
verification of various GPG keys. Once you've got a few keys from
people that you trust, your web of trust expands.

If you've got a trusted key from Joe Smith, and Joe Smith says he
trusts a key belonging to Sara Jones, and Sara Jones says she trusts
the Debian signing key that you're trying to verify, then you have a
chain of trust from yourself, to Joe, to Sara, to the Debian key.

In practice, very few people do this, because it's a LOT of effort.
Dan Purgert
2024-07-11 13:50:01 UTC
Permalink
Post by Greg Wooledge
Post by 타토카
But, what do you mean: "Because you haven't established a chain of trust
from yourself to any of the signatures."
Imagine someone walks up to you on the street and hands you a contract,
which is signed by someone you've never heard of.
You don't know the guy who gave you the contract. You've never seen him
before. So, you don't trust him. [...]
I always liked the analogy of schoolwork / notes.

Say you missed last Friday's class, and you need the notes (where "the
notes" correspond to "the pgp key in question").

Scenario A: "untrusted" ("website with a link / posted fingerprint")
You run into someone from class, who you don't really know all that
well, but you do know they answer the professor pretty often (and
correctly at that).

Scenario B: "web of trust" ("one or more trusted signatures on that key")
Nearly the same as "A", but the other person is a friend-of-a-friend.
You can ask your friend when you meet them for lunch if you can trust
the classmate's notes.

Scenario C: "fully trusted" ("you made the effort to verify the owner")
You ask you best friend since second grade for their notes. You know
they've been an "A" student since forever, and they take amazing notes.
--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
Michael Kjörling
2024-07-08 19:10:02 UTC
Permalink
Post by 타토카
1. Are all subscriptions to Debian free?
Others have already pointed out that Debian is free, but I want to
note that this question seems to be based on a misunderstanding.

The fact is that there are no "subscriptions" to Debian, in the
typical sense.

Some people voluntarily _donate_ to the Debian project to help cover
costs, provide hardware, etc., and the Debian project solicits such
donations in various ways. Some are members for example of this
mailing list and give back to the community by answering other
peoples' questions. Some contribute bug reports, code or documentation
changes either to correct errors or to improve clarity. Some introduce
their friends, family and relatives to free software and offer
hands-on help. Some companies provide services at a lower price to
people who are active in the Debian project, or to the Debian project
itself.

But there is absolutely no requirement to do any of this.

Some companies do offer _support contracts_ that cover Debian, and
particularly other companies tend to like this because it gives them
somewhere to call if they have a problem. But you don't need to have
anything like that to use Debian, or contribute in various ways.

You can just download, install and use it. :-)
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
Loading...