Verifying authenticity of Debian CDs
Official releases of Debian CDs come with signed checksum files;
look for them alongside the images in the
iso-hybrid etc. directories.
These allow you to check that the images you download are correct.
First of all, the checksum can be used to check that the CDs have not
been corrupted during download.
Secondly, the signatures on the checksum files allow you to confirm
that the files are the ones officially released by the Debian CD /
Debian Live team and have not been tampered with.
To validate the contents of a CD image, just be sure to use the
appropriate checksum tool.
For older archived CD releases, only MD5 checksums were generated in
MD5SUMS files; you should use the tool
md5sum to work with these.
For newer releases, newer and cryptographically stronger checksum
algorithms (SHA1, SHA256 and SHA512) are used, and there are equivalent
tools available to work with these.
To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g.
The keys used for these signatures are all in the Debian GPG keyring and the best
way to check them is to use that keyring to validate via the web of
To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:
pub 4096R/64E6EA7D 2009-10-03 Key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D uid Debian CD signing key <email@example.com> pub 4096R/6294BE9B 2011-01-05 Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key <firstname.lastname@example.org> sub 4096R/11CD9819 2011-01-05 pub 4096R/09EA8AC3 2014-04-15 Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 uid Debian Testing CDs Automatic Signing Key <email@example.com> sub 4096R/6BD05CFB 2014-04-15