diff options
| author | Elena ``of Valhalla'' Grandi <valhalla@trueelena.org> | 2025-08-18 16:42:41 +0200 |
|---|---|---|
| committer | Elena ``of Valhalla'' Grandi <valhalla@trueelena.org> | 2025-08-18 16:42:41 +0200 |
| commit | 942b86fd66aa192427b15a92c99c66c208dc5d7c (patch) | |
| tree | f7faf10b49e5be4a5fe1f5d0bef1bc27fc3c639c | |
| parent | d05bbef6c0167d3d9a812a02bcd2626fa0ae943b (diff) | |
Verifying Debian ARM installers
| -rw-r--r-- | source/desktop/index.rst | 1 | ||||
| -rw-r--r-- | source/desktop/verifying_debian_arm_installer_images/index.rst | 64 |
2 files changed, 65 insertions, 0 deletions
diff --git a/source/desktop/index.rst b/source/desktop/index.rst index 0ba8afc..353278f 100644 --- a/source/desktop/index.rst +++ b/source/desktop/index.rst @@ -8,3 +8,4 @@ command_line_printing/index desktop_environment/index + verifying_debian_arm_installer_images/index diff --git a/source/desktop/verifying_debian_arm_installer_images/index.rst b/source/desktop/verifying_debian_arm_installer_images/index.rst new file mode 100644 index 0000000..da1840b --- /dev/null +++ b/source/desktop/verifying_debian_arm_installer_images/index.rst @@ -0,0 +1,64 @@ +*************************************** + Verifying Debian Arm Installer Images +*************************************** + +Most ARM SBCs aren't able to boot the plain debian installer images, so +they require a custom per-board concatenateable image, and these don't +have a convenient SHA256SUM + SHA256SUM.gpg file to verify them. + +There is however a chain of verifiability (to the keys distributed in +the debian-archive-keyring package), and this is the non-trivial +procedure to verify them. + +1. Download the images from + https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/ + (choose either hd-media or netboot, then SD-card-images and download + the ``firmware.*`` file for your board as well as + ``partition.img.gz``). + +2. Download the checksums file + https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/SHA256SUMS + +3. Download the Release file from + https://ftp.debian.org/debian/dists/trixie/InRelease + +4. Verify the Release file:: + + gpg --no-default-keyring \ + --keyring /usr/share/keyrings/debian-archive-keyring.pgp \ + --verify InRelease + +5. Verify the checksums file:: + + awk '/installer-armhf\/current\/images\/SHA256SUMS/ {print $1 " + SHA256SUMS"}' InRelease | tail -n 1 | sha256sum -c + + (There is probably a way to skip the tail command and use just awk) + +6. Verify the actual files, for ``hd-media``:: + + grep hd-media SHA256SUMS \ + | sed 's#hd-media/SD-card-images/##' \ + | sha256sum -c --ignore-missing + + and for ``netboot``:: + + grep netboot SHA256SUMS \ + | sed 's#netboot/SD-card-images/##' \ + | sha256sum -c --ignore-missing + + and check that all of the files you wanted are there with an OK + +The same procedure can be used to verify arm64 images by changing armhf +to arm64 everywhere. + +See also +======== + +* `Vagrant on the debian-arm mailing list + <https://lists.debian.org/debian-arm/2023/02/msg00001.html>`_ +* `My blog post where I wrote these instructions the first time + <https://blog.trueelena.org/blog/2023/02/02-how-to-verify-debian-arm-installer-images/index.html>`_ + +.. + vim: set filetype=rst: |