Verifying debian squeeze CD images from lenny

If you want to verify your debian squeeze CD images from a debian lenny system, you need to update the keyring because otherwise the following error occurs during verification:

gpg: Signature made Sun Feb 6 01:09:16 2011 CET using RSA key ID 6294BE9B
gpg: Can’t check signature: public key not found

Do the following steps as root:
edit your /etc/apt/sources.list: add the line:

deb wheezy main

then run

apt-get update

If there is an error („too many package descriptions“): comment out some other entries in /etc/apt/sources.list. Go on with

apt-get install debian-keyring/testing

apt will remove debian-maintainers, but I don’t think this package is neccesary.
change your /etc/apt/sources.list back to its original contents.

apt-get update

Change back to your normal user.

Now you can verify the images by first downloading the iso-file and the corresponding SHA512SUMS and SHA512SUMS.sign files from the same directory (for 64bit PC:

Then verify the sha512 hash value:


 cd /home/your/iso/directory
 gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

gpg: Signature made Sun Feb 6 01:09:16 2011 CET using RSA key ID 6294BE9B
gpg: Good signature from „Debian CD signing key „
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

The warning may be safely ignored because apt cryptographically verifies all packages and the keyring file debian-role-keys.gpg was installed by apt.

sha512sum -c SHA512SUMS

debian-6.0.0-amd64-CD-1.iso: FAILED open or read
debian-6.0.0-amd64-netinst.iso: OK

You can ignore the „FAILED open or read“ lines – sha512sum just looks for all cd images listed in the file. The „OK“ line must be there.

Now you have successfully verified the ISO – have fun installing!

Leave a Reply