Hi,

Deparade Max wrote:
> I tried three times to download the 9.13 version ISO but Firefox keep saying
> that it might conaint a virus or malware. I need a verified answer whats
> going on there.
> I used following site:
> https://cdimage.debian.org/mirror/cdimage/archive/9.13.0/amd64/iso-cd/
> And following ISO:
> debian-9.13.0-amd64-netinst.iso

My quite freshly installed Firefox on Debian 10 says the same.

But only on the first download. A second download does not cause that
warning of Firefox.
Neither do downloads of the other two ISOs on that page.

My old Iceweasel on Debian 8 does not complain.

--------------------------------------------------------------------------

Quite surely Debian does not put malware into its ISOs.

It would be interesting to see more details about how Firefox or other
virus scanners come to that idea. If they can tell a file name in the ISO
or a byte range in the ISO, then it would be possible to examine the
problem deeper.
Well, my firefox offers me to "open" the ISO ... if i understand it
correctly this "open" offers me to overwrite my hard disk by that ISO.
That's fewly helpful.

--------------------------------------------------------------------------

There is always the risk of man-in-the-middle malice or of corrupted
mirror servers.

Against that threat, Debian has two levels of verifying.
At
  https://cdimage.debian.org/mirror/cdimage/archive/9.13.0/amd64/iso-cd/
there are
  SHA512SUMS
  SHA512SUMS.sign
Download them and get the potential signing keys by
  gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D
  gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
Verify the validity of SHA512SUMS by
  gpg --verify SHA512SUMS.sign SHA512SUMS
which should say
  gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" 
[unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

The warning can be ignored. But the "Primary key fingerprint" must completely
match one of the fingerprints shown at
  https://www.debian.org/CD/verify

After you can trust the file SHA512SUMS, compute the SHA512 sum of the
downloaded ISO:
  sha512sum debian-9.13.0-amd64-netinst.iso
and compare it with the sum that is listed for this ISO in file SHA512SUMS.

If the SHA512 sums match, then you very surely have an original Debian ISO.
(And if virus scanner don't like it, they should tell more info now or
 forever hold their peace.)


My verification of the offending ISO was successful. I would trust it,
because i have few reason to trust Firefox and its ideas of malware
detection.


Have a nice day :)

Thomas

Reply via email to