Discussion:
Verifying checksum and signature
(too old to reply)
leonard morin
2020-10-01 18:30:01 UTC
Permalink
Hi,

I want to reinstall Debian but first verify the signature of the installer
checksum and the signature file. I am working with Windows and based this
process on this video by Crypto Dad:



I was able to download the GPG4Win and verify it with the Shasum Checker,
also as per Crypto Dad:



I followed his instructions to check the signature and checksum for the
Debian installer in (GNU Privacy Assistant). I get the message that there
is no public key. When I follow his process to retrieve the public key at
https://www.debian.org/CD/verify
I get the message in GPA "No keys were found" for all the IDs and
fingerprints on the page. Should I be obtaining the public key elsewhere?
Or should I do something else differently?

If you need more details please let me know.

Thanks for your help,
Leonard
Ryan Nowakowski
2020-10-05 18:30:01 UTC
Permalink
Post by leonard morin
Hi,
I want to reinstall Debian but first verify the signature of the installer
checksum and the signature file. I am working with Windows and based this
http://youtu.be/N7oE0QaK540
I was able to download the GPG4Win and verify it with the Shasum Checker,
http://youtu.be/QZ2GrQA_ye8
I followed his instructions to check the signature and checksum for the
Debian installer in (GNU Privacy Assistant). I get the message that there
is no public key. When I follow his process to retrieve the public key at
https://www.debian.org/CD/verify
I get the message in GPA "No keys were found" for all the IDs and
fingerprints on the page. Should I be obtaining the public key elsewhere?
Or should I do something else differently?
You should be able to get the keys from the debian key
server(keyring.debug.org). Here's any example using gpg from the
command-line:

***@potts:~$ gpg --keyserver keyring.debian.org --recv-keys 6BD05CFB
gpg: key 42468F4009EA8AC3: "Debian Testing CDs Automatic Signing Key <debian-***@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
***@potts:~$ gpg --fingerprint 6BD05CFB
pub rsa4096 2014-04-15 [SC]
F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
uid [ unknown] Debian Testing CDs Automatic Signing Key <debian-***@lists.debian.org>
sub rsa4096 2014-04-15 [E]

Perhaps you can translate that into your Windows tools? Here some more
info on Debian's gpg key server: https://keyring.debian.org/
Ryan Nowakowski
2020-10-05 19:30:01 UTC
Permalink
Post by Ryan Nowakowski
Post by leonard morin
Hi,
I want to reinstall Debian but first verify the signature of the installer
checksum and the signature file. I am working with Windows and based this
http://youtu.be/N7oE0QaK540
I was able to download the GPG4Win and verify it with the Shasum Checker,
http://youtu.be/QZ2GrQA_ye8
I followed his instructions to check the signature and checksum for the
Debian installer in (GNU Privacy Assistant). I get the message that there
is no public key. When I follow his process to retrieve the public key at
https://www.debian.org/CD/verify
I get the message in GPA "No keys were found" for all the IDs and
fingerprints on the page. Should I be obtaining the public key elsewhere?
Or should I do something else differently?
You should be able to get the keys from the debian key
server(keyring.debug.org)
should be "keyring.debian.org"
leonard morin
2020-10-08 23:00:02 UTC
Permalink
Thanks, Ryan. It's resolved now. When I got your email, I decided to do
something I probably should have thought of doing before. I went into my
Debian OS (which I am in the process of reinstalling) and I tried
retrieving the public keys using the signing keys from the same place (
https://www.debian.org/CD/verify ) within Debian, following the commands
you suggested. Of course, I was able to retrieve them. Then what I did was
go back to windows and try Kleopatra instead of Privacy Assistant, and it
worked! What a relief! There's some problem with Privacy Assistant. Perhaps
having it installed on the same Windows system with GPA Privacy Assistant?
I don't know. Thanks again, Leonard
Post by leonard morin
Post by leonard morin
Hi,
I want to reinstall Debian but first verify the signature of the
installer
Post by leonard morin
checksum and the signature file. I am working with Windows and based this
http://youtu.be/N7oE0QaK540
I was able to download the GPG4Win and verify it with the Shasum Checker,
http://youtu.be/QZ2GrQA_ye8
I followed his instructions to check the signature and checksum for the
Debian installer in (GNU Privacy Assistant). I get the message that there
is no public key. When I follow his process to retrieve the public key at
https://www.debian.org/CD/verify
I get the message in GPA "No keys were found" for all the IDs and
fingerprints on the page. Should I be obtaining the public key elsewhere?
Or should I do something else differently?
You should be able to get the keys from the debian key
server(keyring.debug.org). Here's any example using gpg from the
gpg: key 42468F4009EA8AC3: "Debian Testing CDs Automatic Signing Key <
gpg: Total number processed: 1
gpg: unchanged: 1
pub rsa4096 2014-04-15 [SC]
F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
uid [ unknown] Debian Testing CDs Automatic Signing Key <
sub rsa4096 2014-04-15 [E]
Perhaps you can translate that into your Windows tools? Here some more
info on Debian's gpg key server: https://keyring.debian.org/
Loading...