Tags: debian, madeof:bits
Thanks to Vagrant on the debian-arm mailing list I’ve found that there is a chain of verifiability for the images usually used to install Debian on ARM devices.
It’s not trivial, so I’m writing it down for future reference when I’ll need it again.
Download the images from https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/ (choose either hd-media or netboot, then SD-card-images and download the
firmware.*file for your board as well aspartition.img.gz).Download the checksums file https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/SHA256SUMS
Download the Release file from https://ftp.debian.org/debian/dists/bullseye/ ; for convenience the InRelease
Verify the Release file:
gpg --no-default-keyring \ --keyring /usr/share/keyrings/debian-archive-bullseye-stable.gpg \ --verify InReleaseVerify the checksums file:
awk '/installer-armhf\/current\/images\/SHA256SUMS/ {print $1 " SHA256SUMS"}' InRelease | tail -n 1 | sha256sum -c(I know, I probably can use awk instead of that tail, but it’s getting late and I want to publish this).
Verify the actual files, for
hd-media:grep hd-media SHA256SUMS \ | sed 's#hd-media/SD-card-images/##' \ | sha256sum -c \ | grep -v "No such file or directory" \ | grep -v "FAILED open or read" 2> /dev/nulland for
netboot:grep netboot SHA256SUMS \ | sed 's#netboot/SD-card-images/##' \ | sha256sum -c \ | grep -v "No such file or directory" \ | grep -v "FAILED open or read" 2> /dev/nulland check that all of the files you wanted are there with an OK; of course change
hd-mediawithnetbootas needed.
And I fully agree that fewer steps would be nice, but this is definitely better than nothing!