If you want to verify your debian squeeze CD images from a debian lenny system, you need to update the keyring because otherwise the following error occurs during verification:
gpg: Signature made Sun Feb 6 01:09:16 2011 CET using RSA key ID 6294BE9B
gpg: Can’t check signature: public key not found
Do the following steps as root:
edit your /etc/apt/sources.list: add the line:
deb http://ftp.de.debian.org/debian wheezy main
then run
apt-get update
If there is an error („too many package descriptions“): comment out some other entries in /etc/apt/sources.list. Go on with
apt-get install debian-keyring/testing
apt will remove debian-maintainers, but I don’t think this package is neccesary.
change your /etc/apt/sources.list back to its original contents.
apt-get update
Change back to your normal user.
Now you can verify the images by first downloading the iso-file and the corresponding SHA512SUMS and SHA512SUMS.sign files from the same directory (for 64bit PC: http://cdimage.debian.org/debian-cd/6.0.0/amd64/iso-cd/).
Then verify the sha512 hash value:
cd /home/your/iso/directory gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign
gpg: Signature made Sun Feb 6 01:09:16 2011 CET using RSA key ID 6294BE9B
gpg: Good signature from „Debian CD signing key „
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
The warning may be safely ignored because apt cryptographically verifies all packages and the keyring file debian-role-keys.gpg was installed by apt.
sha512sum -c SHA512SUMS
debian-6.0.0-amd64-CD-1.iso: FAILED open or read
….
debian-6.0.0-amd64-netinst.iso: OK
….
You can ignore the „FAILED open or read“ lines – sha512sum just looks for all cd images listed in the file. The „OK“ line must be there.
Now you have successfully verified the ISO – have fun installing!