How To Verify Debian's ARM Installer Images

Posted on February 2, 2023
Tags: debian, madeof:bits

Thanks to Vagrant on the debian-arm mailing list I’ve found that there is a chain of verifiability for the images usually used to install Debian on ARM devices.

It’s not trivial, so I’m writing it down for future reference when I’ll need it again.

  1. Download the images from https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/ (choose either hd-media or netboot, then SD-card-images and download the firmware.* file for your board as well as partition.img.gz).

  2. Download the checksums file https://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/SHA256SUMS

  3. Download the Release file from https://ftp.debian.org/debian/dists/bullseye/ ; for convenience the InRelease

  4. Verify the Release file:

    gpg --no-default-keyring \
        --keyring /usr/share/keyrings/debian-archive-bullseye-stable.gpg \
        --verify InRelease
  5. Verify the checksums file:

    awk '/installer-armhf\/current\/images\/SHA256SUMS/ {print $1 "
    SHA256SUMS"}' InRelease | tail -n 1 | sha256sum -c 

    (I know, I probably can use awk instead of that tail, but it’s getting late and I want to publish this).

  6. Verify the actual files, for hd-media:

    grep hd-media SHA256SUMS \
    | sed 's#hd-media/SD-card-images/##' \
    | sha256sum -c \
    | grep -v "No such file or directory" \
    | grep -v "FAILED open or read" 2> /dev/null

    and for netboot:

    grep netboot SHA256SUMS \
    | sed 's#netboot/SD-card-images/##' \
    | sha256sum -c \
    | grep -v "No such file or directory" \
    | grep -v "FAILED open or read" 2> /dev/null

    and check that all of the files you wanted are there with an OK; of course change hd-media with netboot as needed.

And I fully agree that fewer steps would be nice, but this is definitely better than nothing!