Re: Verifying authenticity of Debian CDs

[semih ozlem <semihozlemsemihozlem@gmail.com>]

What I am trying to do is

run a command like

gpg --verify "name of the signature file" "name of the file"

should this be for example SHA1SUM.sign SHA1SUM in case of the files on the webpage https://cdimage.debian.org/debian-cd/current-live/amd64/bt-hybrid/

when I run this command I get the message

Can't check signature: No public key

Where can the public key be found.

semih ozlem <semihozlemsemihozlem@gmail.com>, 24 Tem 2020 Cum, 17:31 tarihinde şunu yazdı:

Hi

I am writing because I was puzzled about part of the explanation on the page

https://www.debian.org/CD/verify

I do not understand from the given page how to use .sign files and gpg in order to check verify the authenticity of debian cds. I understand the part with using sha256sum or sha512sum or md5sum to check whether the files were downloaded correctly.

What I do not understand is, should one download keys from debian keyserver and/or use the files with extension .sign and gpg to perform some sort of verification. If so what are the steps that should be taken to do this step.

Also where should one find uids or ids of keys to receive from the keyserver to check specifically latest debian isos.

Thank you in advance for your help. And it would be wonderful if the webpage states these steps.