2. Now we need to verify hashsum of ISO File
-We need to check the hashsum of the file to know if the ISO file was downloaded without modification. Yung hashsum file na ito ay matatagpuan sa parehas na directory ng ISO file sa download mirror.
(How:
1. Obtain the hashsum file using:
*
wget http://ftp.de.debian.org/debian-cd/current/amd64/iso-dvd/SHA512SUMS
*
2. Calculate a local hashsum from the downloaded ISO file:
*
sha512sum debian-8.6.0-amd64-DVD-1.iso
*
3. Now you need to compare the hashsum with that is in the SHA512SUMS file. Since the SHA512SUMS file contains the hashsums of al files that are in the same directory you need to find the right one first. 'grep' can do this for you:
*
grep debian-8.6.0-amd64-DVD-1.iso SHA512SUMS
*
4. Both Commands executed after each other should show following output:
*
$ sha512sum debian-8.6.0-amd64-DVD-1.iso
c3883edfc95e3b09152d46ce29a032eed1de71531549aee86bb98dab1528088a16f0b4d628aee8ac6cc420364e208d3d5e19d0dea3576f53b904c18e8f604d8c debian-8.6.0-amd64-DVD-1.iso
$ grep debian-8.6.0-amd64-DVD-1.iso SHA512SUMS
c3883edfc95e3b09152d46ce29a032eed1de71531549aee86bb98dab1528088a16f0b4d628aee8ac6cc420364e208d3d5e19d0dea3576f53b904c18e8f604d8c debian-8.6.0-amd64-DVD-1.iso
*
Note: As you can see, ang hashsum na nakita sa SHA512SUMS file at nagmatch sa locally generated hashsum gamit ang sha512sum command. Pero hindi pa tayo diyan magtatapos dahil ang ISO file at ang SHA512SUMS file ay pwede paring isang modified version so we need GPG Signatures.
3. Dowload GPG Signature File
- it usually have the file extension ".sign" but pwede ring namang ".asc". Download the signature file using wget:
*
wget http://ftp.de.debian.org/debian-cd/current/amd64/iso-dvd/SHA512SUMS.sign
*
4. After downloading it, we need to obtain GPG Key of Signer
-Letting gpg verify the signature will fail at this point as we don't have the public key of the signer:
*
$ gpg --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Mon 19 Sep 2016 12:23:47 AM HKT
gpg: using RSA key DA87E80D6294BE9B
gpg: Can't check signature: No public key
*
Downloading a key is trivial with gpg, but more importantly we need to verify that this key (DA87E80D6294BE9B) is trustworthy, as it could also be a key of the infamous man-in-the-middle.
Here you can find the GPG fingerprints of the official signing keys used by Debian. The ending of the "Key fingerprint" line should match the key id we found in the signature file from above.
VOUS LISEZ
Hacking Articles
AléatoireHacking Articles is an article/guides about basic hacking and any topics related to Hacking/Technology. This was written by Rovic Balingbing a.k.a. Baby Esue, it consists of 30 parts, this "Hacking Articles" consists of some articles, guides, tutor...
Hacking Articles Part 10 (1)
Depuis le début
