How to verify OpenPGP signatures

Table of Contents

• Summary
• How to verify using bmaptool
• How to verify PGP signature manually
• Package repository signature

Summary

The images as well as the apt repository are signed by a OpenPGP subkey of the following primary key:

F83356BBE112B7462A41552F7D5D8C60CF4D3EB4 josch@debian.org

This key is part of the keyring shipped by the debian-keyring package 2023.07.22 or later in /usr/share/keyrings/debian-keyring.gpg.

The signature URL can be obtained by appending .sig to the download URL of the disk image and verified using the steps below. The signature URL can also be obtained from the row “PGP signature” in the download table on each page. Additionally, images are signed indirectly via a signature of the associated bmap file. The latter method allows automatic verification while flashing while the former requires to first download the full image before flashing it.

How to verify using bmaptool

Images are also signed indirectly through a signature of the bmap file containing SHA256 checksums for each populated range of data in the image file. Verification of the signature of the bmap file happens automatically when flashing the image using bmaptool. The utility downloads the bmap file and its associated signature and verifies it automatically. To make sure that the PGP verification utility used by bmaptool knows about the key that the bmap file is signed with, you can supply --keyring /usr/share/keyrings/debian-keyring.gpg. To make sure that the signature is not from anybody in the Debian keyring but from the expected maintainer you can also supply --fingerprint 3AC6EB840FA5CE3FF31BAD80EF93221F8A44FEB2.

How to verify PGP signature manually

In addition to the image itself, also download its PGP signature (links at the top of this page) and then run either of the following commands, depending on whether you prefer using sequoia, GnuPG or any Stateless OpenPGP implementation (replace $SOP with your SOP executable sqop, rsop, gosop, …).

sqv --keyring /usr/share/keyrings/debian-keyring.gpg reform-system-any.img.xz.sig reform-system-any.img.xz
gpgv --keyring /usr/share/keyrings/debian-keyring.gpg reform-system-any.img.xz.sig reform-system-any.img.xz
gpgv-sq --keyring /usr/share/keyrings/debian-keyring.gpg reform-system-any.img.xz.sig reform-system-any.img.xz
$SOP verify reform-system-any.img.xz.sig /usr/share/keyrings/debian-keyring.gpg < reform-system-any.img.xz

Package repository signature

To extract the key from the keyring shipped by the debian-keyring package 2023.07.22 or later in /usr/share/keyrings/debian-keyring.gpg you can run:

gpg --no-options --no-default-keyring --export --armour \
  --keyring /usr/share/keyrings/debian-keyring.gpg \
  --export-options export-minimal,export-clean \
  --export-filter keep-uid="uid = Johannes Schauer Marin Rodrigues <josch@debian.org>" \
  --export-filter drop-subkey="fpr <> 3AC6EB840FA5CE3FF31BAD80EF93221F8A44FEB2" \
  F83356BBE112B7462A41552F7D5D8C60CF4D3EB4

Depending on which method you chose to set up your apt sources, this key should either:

• Method A (extrepo): the key is referenced by /etc/apt/sources.list.d/extrepo_reform.debian.net.sources and likely stored in /var/lib/extrepo/keys/reform.debian.net.asc
• Method B (deb822): the key is stored in the Signed-By field in /etc/apt/sources.list.d/reform_trixie.sources
• Method C (one-line): the key is referenced by the signed-by option and stored in a location of your choosing (like /etc/apt/keyrings/reform.debian.net.asc)

For any issues with this website, contact Johannes Schauer Marin Rodrigues via josch@debian.org or open an issue.

While Johannes Schauer Marin Rodrigues is a Debian Developer as well as a contributor on source.mnt.re, the content provided here is neither an official Debian project nor is it an official resource by MNT Research.

Hosting is kindly provided by the debian.net team.

Source code: this website | script that builds the SD-card images | script that builds the Debian Installer image | script that builds the patched Debian packages