How to verify OpenPGP signatures
Table of Contents
- Summary
- How to verify using
bmaptool
- How to verify PGP signature manually
- Package repository signature
Summary
The images as well as the apt repository are signed by a OpenPGP subkey of the following primary key:
F83356BBE112B7462A41552F7D5D8C60CF4D3EB4 josch@debian.org
This key is part of the keyring shipped by the debian-keyring
package
2023.07.22 or later in /usr/share/keyrings/debian-keyring.gpg
.
The signature URL can be obtained by appending .sig
to the download URL of
the disk image and verified using the steps below. The signature URL
can also be obtained from the row “PGP signature” in the download table on each
page. Additionally, images are signed indirectly via a signature of the
associated bmap file. The latter method allows automatic verification while
flashing while the former requires to first download the full image before
flashing it.
How to verify using bmaptool
Images are also signed indirectly through a signature of the bmap
file containing SHA256 checksums for each populated range of data in the image
file. Verification of the signature of the bmap file happens automatically when
flashing the image using bmaptool
. The utility downloads the bmap file and
its associated signature and verifies it automatically. To make sure that the
PGP verification utility used by bmaptool
knows about the key that the bmap
file is signed with, you can supply --keyring
/usr/share/keyrings/debian-keyring.gpg
. To make sure that the signature is not
from anybody in the Debian keyring but from the expected maintainer you can
also supply --fingerprint 3AC6EB840FA5CE3FF31BAD80EF93221F8A44FEB2
.
How to verify PGP signature manually
In addition to the image itself, also download its PGP signature (links at the
top of this page) and then run either of the following commands, depending on
whether you prefer using sequoia, GnuPG or any Stateless OpenPGP implementation
(replace $SOP
with your SOP executable sqop
, rsop
, gosop
, …).
sqv --keyring /usr/share/keyrings/debian-keyring.gpg reform-system-any.img.xz.sig reform-system-any.img.xz
gpgv --keyring /usr/share/keyrings/debian-keyring.gpg reform-system-any.img.xz.sig reform-system-any.img.xz
gpgv-sq --keyring /usr/share/keyrings/debian-keyring.gpg reform-system-any.img.xz.sig reform-system-any.img.xz
$SOP verify reform-system-any.img.xz.sig /usr/share/keyrings/debian-keyring.gpg < reform-system-any.img.xz
Package repository signature
To extract the key from the keyring shipped by the debian-keyring
package
2023.07.22 or later in /usr/share/keyrings/debian-keyring.gpg
you can run:
gpg --no-options --no-default-keyring --export --armour \
--keyring /usr/share/keyrings/debian-keyring.gpg \
--export-options export-minimal,export-clean \
--export-filter keep-uid="uid = Johannes Schauer Marin Rodrigues <josch@debian.org>" \
--export-filter drop-subkey="fpr <> 3AC6EB840FA5CE3FF31BAD80EF93221F8A44FEB2" \
F83356BBE112B7462A41552F7D5D8C60CF4D3EB4
Depending on which method you chose to set up your apt sources, this key should either:
- Method A (extrepo): the key is referenced by
/etc/apt/sources.list.d/extrepo_reform.debian.net.sources
and likely stored in /var/lib/extrepo/keys/reform.debian.net.asc - Method B (deb822): the key is stored in the
Signed-By
field in/etc/apt/sources.list.d/reform_trixie.sources
- Method C (one-line): the key is referenced by the
signed-by
option and stored in a location of your choosing (like/etc/apt/keyrings/reform.debian.net.asc
)