Friends -

I looked and wasn't able to find a digital signature for
the SHA256SUMS file in
http://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/
or
http://ftp.debian.org/debian/dists/bookworm/main/installer-armhf/current/images/

There _are_ signatures provided for CD images at
https://cdimage.debian.org/debian-cd/current/armhf/iso-cd/
but that's not the normal installation process for the gazillion armhf SBCs.

I'm pretty sure most people are like me, and use the process documented
in "5.1.5. Using pre-built SD-card images with the installer" at
https://www.debian.org/releases/bullseye/armhf/ch05s01.en.html
or
https://www.debian.org/releases/bookworm/armhf/ch05s01.en.html

Am I blind? Can the process be adjusted to generate such a signature file?

- Larry

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-01-31, Larry Doolittle wrote:

Friends -

I looked and wasn't able to find a digital signature for
the SHA256SUMS file in
http://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/
or
http://ftp.debian.org/debian/dists/bookworm/main/installer-armhf/current/images/

Take a look at:

https://ftp.debian.org/debian/dists/bullseye/Release

The Release file is signed(either inline as InRelease or detatched as Release.gpg), and has checksums for the relevent SHA256SUMS files that
you are looking for...

Am I blind?

It is admittedly a bit indirect and non-obvious, having to download a
Release file, check the signature on that, then download the relevent SHA256SUMS files and check their checksums with the (verified) Release
file... but there is at least a chain of verifyability...

Can the process be adjusted to generate such a signature file?

It would be nice to have fewer steps to verify, because any complicated verification process quickly downgrades to no verification process...


live well,
vagrant

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCY9nVDgAKCRDcUY/If5cW qv/lAQCAbitIA+u+NYhbvySs03F9AXe60m4M4rwYA43J6TzbZwEA7b3Jp1FQVaAy fSAMBIEWqHtw40rCVPpwqBRqaKVo0AA=
=fZF4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Vagrant et al. -

On Tue, Jan 31, 2023 at 06:57:17PM -0800, Vagrant Cascadian wrote:

Take a look at:
https://ftp.debian.org/debian/dists/bullseye/Release
The Release file is signed(either inline as InRelease or detatched as Release.gpg), and has checksums for the relevent SHA256SUMS files that
you are looking for...

Cool! That's the hint I was looking for. I can now verify the files
for a fresh Bookworm install I'm about to attempt on an armhf SBC.

Am I blind?

It is admittedly a bit indirect and non-obvious, [...]

I'm all too aware of how hard it it is to make good (complete,
comprehensible, discoverable) documentation.

I just tried a number of Internet searches e.g.,
"verify integrity of debian release files" and nothing pointed me to the
magic "Release" file. Lots of hints about getting to the SHA256SUMS files.

The install guide section
4.6. Verifying the integrity of installation files
seems key. It gives three main links: to CD and DVD (each goes to nice pages on cdimage.debian.org that mention that the checksum files are signed),
and one to "other installation files" (on ftp.debian.org) that does not.
That would seem to say that
http://ftp.debian.org/debian/dists/bookworm/main/installer-arm64/current/images/
deserves a README about integrity-checking and the existence of a
digital signature for Release.

- Larry

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)