Discussion:
Can we get a signature for armhf SD-card images?
(too old to reply)
Larry Doolittle
2023-02-01 01:50:02 UTC
Permalink
Friends -

I looked and wasn't able to find a digital signature for
the SHA256SUMS file in
http://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/
or
http://ftp.debian.org/debian/dists/bookworm/main/installer-armhf/current/images/

There _are_ signatures provided for CD images at
https://cdimage.debian.org/debian-cd/current/armhf/iso-cd/
but that's not the normal installation process for the gazillion armhf SBCs.

I'm pretty sure most people are like me, and use the process documented
in "5.1.5. Using pre-built SD-card images with the installer" at
https://www.debian.org/releases/bullseye/armhf/ch05s01.en.html
or
https://www.debian.org/releases/bookworm/armhf/ch05s01.en.html

Am I blind? Can the process be adjusted to generate such a signature file?

- Larry
Vagrant Cascadian
2023-02-01 03:00:02 UTC
Permalink
Post by Larry Doolittle
Friends -
I looked and wasn't able to find a digital signature for
the SHA256SUMS file in
http://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/
or
http://ftp.debian.org/debian/dists/bookworm/main/installer-armhf/current/images/
Take a look at:

https://ftp.debian.org/debian/dists/bullseye/Release

The Release file is signed(either inline as InRelease or detatched as
Release.gpg), and has checksums for the relevent SHA256SUMS files that
you are looking for...
Post by Larry Doolittle
Am I blind?
It is admittedly a bit indirect and non-obvious, having to download a
Release file, check the signature on that, then download the relevent
SHA256SUMS files and check their checksums with the (verified) Release
file... but there is at least a chain of verifyability...
Post by Larry Doolittle
Can the process be adjusted to generate such a signature file?
It would be nice to have fewer steps to verify, because any complicated
verification process quickly downgrades to no verification process...


live well,
vagrant
Larry Doolittle
2023-02-01 17:40:01 UTC
Permalink
Vagrant et al. -
Post by Vagrant Cascadian
https://ftp.debian.org/debian/dists/bullseye/Release
The Release file is signed(either inline as InRelease or detatched as
Release.gpg), and has checksums for the relevent SHA256SUMS files that
you are looking for...
Cool! That's the hint I was looking for. I can now verify the files
for a fresh Bookworm install I'm about to attempt on an armhf SBC.
Post by Vagrant Cascadian
Post by Larry Doolittle
Am I blind?
It is admittedly a bit indirect and non-obvious, [...]
I'm all too aware of how hard it it is to make good (complete,
comprehensible, discoverable) documentation.

I just tried a number of Internet searches e.g.,
"verify integrity of debian release files" and nothing pointed me to the
magic "Release" file. Lots of hints about getting to the SHA256SUMS files.

The install guide section
4.6. Verifying the integrity of installation files
seems key. It gives three main links: to CD and DVD (each goes to nice pages
on cdimage.debian.org that mention that the checksum files are signed),
and one to "other installation files" (on ftp.debian.org) that does not.
That would seem to say that
http://ftp.debian.org/debian/dists/bookworm/main/installer-arm64/current/images/
deserves a README about integrity-checking and the existence of a
digital signature for Release.

- Larry

Loading...