Hi, i wrote in https://lists.debian.org/debian-user/2019/04/msg00214.html > > > SHA512SUMS.sign [...] SHA512SUMS [...] debian-9.8.0-amd64-netinst.iso
john doe wrote: > > $ sha512sum -c --ignore-missing <CHECKSUM-FILE> > > The '--strict' option could also be used. Steve McIntyre wrote: > If you're happy for me to borrow your text > above, I think it's a good start! I meanwhile discovered that i already wrote a more concise wiki paragraph about that issue: https://wiki.debian.org/JigdoOnLive#Verify_the_Debian_Live_download Especially this line gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS is obviously an improvement over mine in msg00214.html gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D gpg --keyserver keyring.debian.org --recv-keys 6294BE9B gpg --keyserver keyring.debian.org --recv-keys 09EA8AC3 gpg --verify SHA512SUMS.sign SHA512SUMS (In that wiki i propose to first verify the SHA512SUMS and afterwards the gpg signature. IIRC, i had in mind that transport damage of the ISO is more likely than transport damage of the SHA512SUMS file or malicious activities. Whether this is a valid idea stays undecided ... scratching head.) Have a nice day :) Thomas
