Tracking Forums, Newsgroups, Maling Lists
Home Scripts Tutorials Tracker Forums
  Advanced Search
  HOME    TRACKER    Linux


Debian Installation :: "Signing Keys" / Verify The File With MD-5, SHA-256?

Anyone attempting to install Debian Squeeze from CD-1, or Debian-live DVD will want to know how to verify the file with MD-5, SHA-256 and (available for some versions only) SHA-512 checksums of the iso images, using the appropriate signing key. But there are no instructions that I can find in the Debian CD FAQ, which simply points users at the archive keyring. Now according to this message, as of 9 Feb 2011 the Debian Squeeze archive signing key has fingerprint 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA

The Debian signing key website gives the archive signing key as the master key, and (this addresses the problem I raised elsewhere) even makes it available via https. That sounds good! Just one problem: the detached signatures for files such as url

which gives the SHA-256 sum for url

have been signed with a different key, which has fingerprint DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

No wonder I am confused! And it seems that I may not be the only one; others seem to be confused also.

If no-one at the Debian mailing list can explain what is going on, I have little hope that anyone here will be able to clear this up, but I'll ask anyway: what are all the Debian related GPG keys and where do you find them all? is it true that there are different keys needed to verify CD iso images and debs? (And... what else?) where do you go to obtain all the lastest Debian keys via https? (This is important as it can hinder MITM attacks by lone crackers, assorted crooks, maybe even state actors, etc.; the "Comodogate" story provides clear evidence that there are people or organizations interested in mounting MITM attacks on persons downloading open-source software). in particular, it is sometimes convenient to use a live-CD to download an iso image (for example, when you no longer trust the system you are trying to upgrade!) and then one wants to use GPG to check the file with the checksum, so one needs to quickly locate and import into the GPG keyring of the (temporary) live-CD session the correct key; so where can I find the CD-signing key availalble via https? shouldn't the CD FAQ explain all this?

View 5 Replies (Posted: 2011-03-31 15:34)

Sponsored Links:

Related Forum Messages For Linux category:
Ubuntu :: Archive Automatic Signing Keys 10.10?
Initially I had a problem installing restricted extras. However, it appears the problem is more than a media problem, so I moved my thread here. I copied over what I thought the relevant code was from my previous thread. Anyone have ideas on how I can fix this?

onoku@onoku-MacBook:~$ sudo apt-get update && sudo apt-get upgrade
[sudo] password for onoku:


Posted: May 14th, 2011

View 9 Replies!   View Related
Debian :: Nautilus File Browser - Open Folder By Using The Shift And F4 Keys
In the kde realm, with the dolphin file browser, I can open a terminal in whatever folder is in the gui by using the shift and f4 keys. I'd like to be able to accomplish the same in gnome with the nautilus file browser but can't figure out how to do same. So far I have to open a terminal and then cd to the desired folder. Or do I have to use some other file browser and which one?

Posted: 2011-03-21 11:50

View 2 Replies!   View Related
General :: How To Verify If The File Is Binary Or Text Without To Open The File
how to verify if the file is binary or text without to open the file

Posted: Sep 7 10 at 8:40

View 2 Replies!   View Related
Ubuntu :: Verify Two File Are Exactly The Same?
I have a large file that I copied. (very large).What is the best way to verify the copy is an exact match?md5sum or is there better?

Posted: 4 Weeks Ago

View 1 Replies!   View Related
Debian :: How To Verify The Squeeze CD-1 Iso
I have been trying to figure out some way of installing Squeeze with some assurance that the new installation won't be pwned from Day One--- and so far I have had no success. Even worse, I have been having some strange problems using SSL in my existing Lenny installation which has been further hampering my efforts. And which may be consistent with the hypothesis that I am in fact being subjected to an on-going MITM attack when I try to install Squeeze over the net. This possibility has encouraged me to keep trying to take reasonable steps to ensure that key binaries in my forthcoming Squeeze have not been tampered with by the time I finish the initial installation. I am seeking steps that can be taken by an average user willing to follow directions written by an expert user.

I found a very interesting recent Debian Security mailing list thread which articulates some of the same concerns that I tried to express several weeks ago. The scenarios which concern Naja Melan and myself (and ???) should not simply be dismissed as too implausible to be worth trying to prevent. I think Melan's thread is rather prescient in view of "Comodogate": ... estion.ars ... lent-https ... ompromise/ ... forgeries/ ... ompromise/ ... rtificatesOne of the fake certs acquired by the bad guys would have enabled them to mount a MITM attack on anyone trying to install updates to Iceweasel/Firefox add-ons via, which I think certainly suggests that the alleged state actor intended to tamper with at least some software.

(EDIT: important new developments in that story: ... festo.html ... y-attacker ... aks_cover/ ... o-hack.arsBriefly, an anon who claims to be Iranian and who claims to have acted alone, and who suggests that he has some connection with political dissidents inside Iran, has claimed to have been the Comodo affiliate cracker. At least one pentester finds the claim plausible. It woudl explain several aspects of the breach which did not appear consistent with Comodo's conclusion that the breach was sponsored by the Iranian government.)

Posted: 2011-03-26 21:26

View 5 Replies!   View Related
Debian Multimedia :: Binding Scripts To Keys - Will Openbox Not Allow For Scripts To Be In The Rc.xml File
I'm using Openbox, and I'm working on some scripts to automatically change several things at once (wallpaper, theme, idesk icons, wbar, etc), and I've started with a simple script for changing the wallpaper. I have three different scripts, each one connected to a different wallpaper. The scripts are in my /usr/bin file, so I just have to type the script name and it goes. Trouble is, I've tried assigning it to a keybinding in Openbox's rc.xml, and I can't seem to get them to work.

Here's one of them:

<keybind key="C-F10">
<action name="Execute">

It's supposed to make it so I type ctrl+F10 to switch to a steampunk wallpaper I have. I can do the script from the command prompt, but I can't get the keybinding to work. Anybody know why? Will Openbox not allow for scripts to be in the rc.xml file?

Posted: 2011-09-11 03:04

View 3 Replies!   View Related
OpenSUSE :: MD5 Hashcheck - Check And Verify Downloaded File
Is there a program available which will check and verify a downloaded file. Ubuntu has gtkhash and Mandriva uses Parano. I know how to Md5 using the command line, but gui software would be a bonus.

Posted: 05-Aug-2010 00:19

View 4 Replies!   View Related
Ubuntu :: Verify A Multi-volume 7z Archive File
I used 7z to create a multi-volume 7z archive file with 0 compression rate. with this command:

7z a -t7z -v1g -mx0 /home/movies/documents.7z /home/documents
a stands for add
t stands for type definition
7z stands for 7z archive type


Posted: January 7th, 2010

View 3 Replies!   View Related
Ubuntu Servers :: Verify What IP Address Created What File
I know the who belongs to the IP address that created the file. (is there any way to verify what IP address created what file?) My concern is that it did not come from the address specified. I found this in /tmp/


Posted: June 10th, 2010

View 1 Replies!   View Related
Debian Configuration :: Verify Link Connection Speed?
How to verify that Debian is running at 100 Mbps or 1000 Mbps? I can view the report from 'ifconfig eth0' but I can't see how fast the link has been established.

Posted: 2010-08-05 17:57

View 2 Replies!   View Related
Programming :: Verify User Login (for A Debian System) Correct Without Actually Logging In?
I'm looking for some way to verify if a user login (for a Debian system) is correct, without actually logging in. My optimal solution would take a candidate username and password as arguments, and (say) return 1 if the username and password are a valid login on the system, and return 0 if it is not. The language used is not really important. (maybe... comparing a hash of the password to the one stored in /etc/shadow? -- but I have no idea how these hashing algorithms work or how to implement them)

Is there an easy way to do this? Security isn't a *huuuuge* concern, as this will be used in a web app that is only available to our local LAN.

Posted: 07-25-2007, 02:16 PM

View 12 Replies!   View Related
Ubuntu Installation :: Does Not Complete Its Installation Verify?
I'm trying to install Ubuntu 10.10 on a computer that's already running Windows Vista. I used the Wubi installer and it seemed to go through the installation fine (using the desktop, amd64 iso file). After rebooting, I get the dual boot option. However, on Ubuntu start-up, I get a display with the message stating Verifying Installation Files. It seems to go through some verification, but then it gets stuck. I see a bunch of lines with the words "ubuntu ubiquity" with hexadecimal values and regular words. The last hexadecimal values to appear are: 7f2698c50d8e, 7f2698fca815; the last regular word is "_target".

If I quit out of the verification, I am able to get onto the desktop area, but a message appears stating a parted_server crash occured. Also, my wireless connection doesn't work, but I suspect I need to install a driver.

Posted: March 3rd, 2011

View 2 Replies!   View Related
General :: Verify Installation Of Serial Port Library?
I want to verify that serial port libraries are installed in my system.I know that it is installed at /usr/local/lib. But I dont know what all files are to be present in there, so to ensure that the same is installed properly. Iam using suse 11.1.

Posted: 06-01-2010, 03:54 AM

View 1 Replies!   View Related
Fedora Installation :: Where To Get The Md5 Checksum To Verify If The Downloaded Iso Correct
I just downloaded the "Fedora-11-i686-Live-KDE.iso" and "Fedora-11-i686-Live.iso". I want to check if the downloaded files correct or not. I can use a tool to get the md5 sum of the downloaded files. But I want to compare them with the original ones.

Posted: 13th September 2009, 12:47 PM

View 6 Replies!   View Related
Fedora Installation :: Configure Ext4 Partition And Verify Download?
i tried to install f13 from live cd and failed. i have 2 questions. i do not understand how to setup partitions according to scottro's message. It says you need small ext3-formatted /boot partion and a ext4-formatted root partition. Does this configuration have to be setup before you boot into the live cd? If so, please tell me how to set this up. my pc is pentium d with 2 hard drives. The master hd is has xp, ubuntu8.04, and swap partitions. I would like to use one-half of the slave drive for f13.

Second question. I would like to be able to verify download of fedora-13-i686.iso. I downloaded it to my xp partition and installed Windows MD5summer. Where or how do i get the md5 file for this iso file?

Posted: 5th June 2010, 03:54 PM

View 14 Replies!   View Related
Fedora :: How To Boot Up Without Signing In
I have had to ditch ubuntu after 4 happy years as their 10.04 release was crazily resource hungry on my humble machine. Installed F13 smoothly and without any problems and so far it doesn't appear to be as resource hungry as ubuntu. One thing I have not been able to find in either gnome preferences or administration is where to set it to go straight to desktop without messing around with passwords and stuff.

Posted: 2nd July 2010, 06:18 PM

View 3 Replies!   View Related
Software :: When Verify My Java Installation Online On Website It Show Missing Plugin
I am trying to install javain my machine but dont think its happening.

Now when i verify my java installation online on java website it show missing plugin.

Posted: 09-24-2010, 01:47 PM

View 14 Replies!   View Related
Fedora :: Pidgin And Empathy Not Signing Into Msn?
Recently jumped from Ubuntu to Fedora 12 over the weekend, has been quite the bumpy ride. Though fun of course. But I'm having trouble coming to a solution for this problem, that started today. When signing into both Empathy or Pidgin (only with msn account) they both just hang on the white screen inactive... I say "inactive" the program hasn't frozen I just cannot be signed in. Also, in Pidgin at the bottom, next to where it shows your status, it has;

"Available - Waiting for network connection"

Posted: 18th January 2010, 11:17 PM

View 3 Replies!   View Related
Server :: Signing Up To The Amazon EC2 Service With EBS?
I am interested in signing up to the Amazon EC2 service with EBS. I have never used a unmanaged vps before, but I know how to use the command line etc. There are some basic packs on there to use, with basic LAMP stacks. But I would like to ask about how do I:

Upgrade a lamp stack? - someone mentioned yum, but what is this? how easy is it to use? is it enough? secure the lamp stack? - assuming I have no idea of linux security, can you give me a list or something of things I need to consider so I can begin the search (or just cover the steps would be awesome!) My website just uses php and mysql, so thats all i'll need. If you have any other tips on this,

Posted: 01-09-2011, 08:02 AM

View 1 Replies!   View Related
Programming :: Digitally Signing Bash Scripts?
Is there any way to protect a bash script with a digital signature, so that it can't be executed if it has been meddled with? Or, if this is not possible for bash scripts, is it possible for any other type of scripts (Python, Perl?) in Linux?

Posted: 02-01-2011

View 5 Replies!   View Related
Fedora :: Flash Plugin Signing Key - Cannot Update
Running graphical software update, fc13. Attached are screenshots, which appear in sequence. The first seems to be asking if I trust the source, Adobe. (The Help for this window says I can go to the adobe website to confirm details of the signing key, which I will do if there is not a simpler fix.) If I respond in affirmative to the first window I get the failure window, second shot, with traceback.

Posted: 11th August 2010, 11:22 PM

View 5 Replies!   View Related
General :: Yahoo Messenger Not Signing In With Squid 2.5 Stable 6
I have configured squid 2.5 stable 6. I can browse any website. I can even use msn messenger but I cannot use yahoo messenger. I have also set the http proxy settings in preference for yahoo messenger but still it does not sign in.

Posted: 08-30-2009, 11:47 PM

View 6 Replies!   View Related
Ubuntu :: Pidgin Not Signing In After Changed Hotmail IM Password?
So Pidgin was workign just fine in Ubuntu Studio karmic... After i Changed my password for my msn IM for security reasons it just woun't sign me in.

Iv tried so many times, my pass is correct... But i keep getting this message

"NEW MSN account
Authentication failed
Edit Account"

Posted: February 23rd, 2010

View 2 Replies!   View Related
General :: F3 - F5 Keys Incorrectly Behaving As Audio Keys / Remap Them To Original Meaning?
I don't know if this is a configuration issue or a hardware issue, but I have a Kinesis Advantage USB keyboard and for some reason the F3-F5 keys aren't responding as they used to. They don't respond to anything and, when I tried using F5 on Emacs, it said <XF86AudioNext> is undefined, so I guess it's a weird mapping problem.

Any idea how I could remap them to the original meaning?

Posted: Apr 17 10 at 2:02

View 2 Replies!   View Related
Copyright 2005-08, All rights reserved