Debian users, I would like to try out debian 8.5 lxde OS. Unfortunately after I burn (dd) to disk, the newly burned disk has a different hash number than the original *.iso file. My specific procedure is below:
=================================================================================== ------------------------------------- Outline (Overall procedure) A) Download SHA512SUMS and SHA512SUMS.gpg, or MD5SUMS and MD5SUMS.gpg B) Get the key used for the signature C) Verify the signature D) Check the ISO with sha512sum or md5sum ------------------------------------- Command outline (terse) A) Download SHA512SUMS and SHA512SUMS.gpg from http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/ B) Get the key 1) Display what key was used to issue the signature $ gpg --verify SHA512SUMS.sign SHA512SUMS 2) Obtain the public key from the Ubuntu key server To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust: $ gpg --keyserver keyring.debian.org --recv-keys 0x6294BE9B 3) Verify the key fingerprints: $ gpg --list-keys --with-fingerprint 0x6294BE9B C) Verify the signature $ gpg --verify SHA512SUMS.sign SHA512SUMS D) Check the ISO $ sha512sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA512SUMS) $ sha512sum debian-live-8.5.0-amd64-lxde-desktop.iso E) Burn iso to media F) Check media drive still has same $ sudo fdisk -l (lookup location of burnt iso media) $ sudo sha512sum /dev/sdb ------------------------------------- Command outline (Complete with results) $ ls debian-8.5.0-i386-lxde-CD-1.checksum SHA512SUMS debian-8.5.0-i386-lxde-CD-1.iso SHA512SUMS.sign Debian8_i386_SHA256SUMS.sign $ gpg --verify SHA512SUMS.sign SHA512SUM S gpg: Signature made 2016年06月05日 (週日) 23時59分09秒 CST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B $ gpg --keyserver keyring.debian.org --r ecv-keys 0x6294BE9B gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: key 6294BE9B: "Debian CD signing key <debian...@lists.debian.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --list-keys --with-fingerprint 0x6 294BE9B pub 4096R/6294BE9B 2011-01-05 Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key <debian...@lists.debian.org> sub 4096R/11CD9819 2011-01-05 $ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made 2016年06月05日 (週日) 23時59分09秒 CST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B $ sha512sum debian-8.5.0-i386-lxde-CD-1. iso && wait && sha512sum /dev/sdb 3365649694bf623d63f37853582d3fe0f7aa774821e2533d2dc79f5d763df1751e20da98da013ccc9bd3257159362434462bd7363caff3a590e75701b81e751c $ sudo sha512sum /dev/sdb 912ac63416f9e4cc90b10eecf08765aa3665cea3cb971865f9887b5193bdf8961cdaf7978dfbdb5a966ae03e16c6704dfd80c50eea30f9bea32b5dbd67f99747 /dev/sdb =================================================================================== Notice how the two sha512sum numbers (local vs burnt usb) don't match! Sincerely, Andrew F Comly =================================================================================== =================================================================================== -------- Original Message -------- Subject: Re: you iso's may have been hacked Local Time: August 10, 2016 1:37 AM UTC Time: August 10, 2016 1:37 AM From: lim...@openmailbox.org To: debian-user@lists.debian.org > On 2016-08-09 20:03, phil hall wrote: >> i have just downloaded debian gnome 8.5.0 when complete i clicked >> check MD5 sum it listed a number that's not in your MD5sum document. I >> have never checked an MD5sum, so don't know if this is a Mint bug or >> you've been hacked On 2016-08-09 20:24, limpia wrote: > Thanks, but it would be a lot more help to know more details, > Especially which mirror you used, what was the url to where you > downloaded it from, ? > Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall" > or ? > Thank you Additional note, I notice that here: https://www.debian.org/CD/faq/#verify It says :=== "The problem with the verification of written optical media is that some media types will possibly return more bytes than those found in the ISO image. This trailing garbage is impossible to avoid with CD written in TAO mode, incrementally recorded DVD-R[W], formatted DVD-RW, DVD+RW, BD-RE, and also with USB keys. Therefore, we need to read exactly the same number of sectors of data from the media as are found in the ISO image itself; reading any more bytes from the media will alter the checksum result."" ================================ There are more details here: https://www.debian.org/CD/verify as well, Are you sure you are checking correctly ?
