blob: 62118df4f341a154ee0614e4db84297341443fed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
***************************************
Verifying Debian Arm Installer Images
***************************************
Most ARM SBCs aren't able to boot the plain debian installer images, so
they require a custom per-board concatenateable image, and these don't
have a convenient ``SHA256SUM`` + ``SHA256SUM.sign`` file to verify them.
There is however a chain of verifiability (to the keys distributed in
the debian-archive-keyring package), and this is the non-trivial
procedure to verify them.
1. Download the images from
https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/
(choose either hd-media or netboot, then SD-card-images and download
the ``firmware.*`` file for your board as well as
``partition.img.gz``).
2. Download the checksums file
https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/SHA256SUMS
3. Download the Release file from
https://ftp.debian.org/debian/dists/trixie/InRelease
4. Verify the Release file::
gpg --no-default-keyring \
--keyring /usr/share/keyrings/debian-archive-keyring.pgp \
--verify InRelease
5. Verify the checksums file::
awk '/installer-armhf\/current\/images\/SHA256SUMS/ {print $1 "
SHA256SUMS"}' InRelease | tail -n 1 | sha256sum -c
(There is probably a way to skip the tail command and use just awk)
6. Verify the actual files, for ``hd-media``::
grep hd-media SHA256SUMS \
| sed 's#hd-media/SD-card-images/##' \
| sha256sum -c --ignore-missing
and for ``netboot``::
grep netboot SHA256SUMS \
| sed 's#netboot/SD-card-images/##' \
| sha256sum -c --ignore-missing
and check that all of the files you wanted are there with an OK
The same procedure can be used to verify arm64 images by changing armhf
to arm64 everywhere.
See also
========
* `Vagrant on the debian-arm mailing list
<https://lists.debian.org/debian-arm/2023/02/msg00001.html>`_
* `My blog post where I wrote these instructions the first time
<https://blog.trueelena.org/blog/2023/02/02-how-to-verify-debian-arm-installer-images/index.html>`_
..
vim: set filetype=rst:
|
