how to verify the integrity of a Debian CD image?

Question

I want to verify the integrity of the file SHA512SUMS which I downloaded from http://cdimage.debian.org/debian-cd/8.1.0/i386/iso-cd/ using the detached signature SHA512SUMS.sign . How can I obtain the Debian public key? What is the right keyserver?

Answer 1

I found that whonix has much clearer instructions for verifying CD images. https://www.whonix.org/wiki/Debian

Steps:

1. Open the URL path to the directory containing the desired CD image. This directory will also contain the checksum files. (eg. http://cdimage.debian.org/debian-cd/8.3.0/amd64/iso-cd/ for Debian 8.3.0)
2. Download your CD image as well as the appropriate checksum and checksum signature. (eg. SHA512SUMS and SHA512SUMS.sign)
3. Install the Debian keyring. (sudo apt-get install debian-keyring)
4. Verify the checksum signature. (gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign) As long as "gpg: Good signature" is contained, you can ignore "This key is not certified with a trusted signature!" warnings.
5. Verify the CD image matches the checksum. (sha512sum -c SHA512SUMS) This must show "debian-8.3.0-amd64-netinst.iso: OK" or the equivalent for the CD image you downloaded. All other images will have "no such file" warnings, that's fine.

If (and only if) your CD image checks out as OK, you have successfully verified your image!

Answer 2

It seems that gpg --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign SHA512SUMS works