*************************************** Verifying Debian Arm Installer Images *************************************** Most ARM SBCs aren't able to boot the plain debian installer images, so they require a custom per-board concatenateable image, and these don't have a convenient ``SHA256SUM`` + ``SHA256SUM.sign`` file to verify them. There is however a chain of verifiability (to the keys distributed in the debian-archive-keyring package), and this is the non-trivial procedure to verify them. 1. Download the images from https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/ (choose either hd-media or netboot, then SD-card-images and download the ``firmware.*`` file for your board as well as ``partition.img.gz``). 2. Download the checksums file https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/SHA256SUMS 3. Download the Release file from https://ftp.debian.org/debian/dists/trixie/InRelease 4. Verify the Release file:: gpg --no-default-keyring \ --keyring /usr/share/keyrings/debian-archive-keyring.pgp \ --verify InRelease 5. Verify the checksums file:: awk '/installer-armhf\/current\/images\/SHA256SUMS/ {print $1 " SHA256SUMS"}' InRelease | tail -n 1 | sha256sum -c (There is probably a way to skip the tail command and use just awk) 6. Verify the actual files, for ``hd-media``:: grep hd-media SHA256SUMS \ | sed 's#hd-media/SD-card-images/##' \ | sha256sum -c --ignore-missing and for ``netboot``:: grep netboot SHA256SUMS \ | sed 's#netboot/SD-card-images/##' \ | sha256sum -c --ignore-missing and check that all of the files you wanted are there with an OK The same procedure can be used to verify arm64 images by changing armhf to arm64 everywhere. See also ======== * `Vagrant on the debian-arm mailing list `_ * `My blog post where I wrote these instructions the first time `_ .. vim: set filetype=rst: