Verifying Debian Arm Installer Images

Most ARM SBCs aren’t able to boot the plain debian installer images, so they require a custom per-board concatenateable image, and these don’t have a convenient SHA256SUM + SHA256SUM.sign file to verify them.

There is however a chain of verifiability (to the keys distributed in the debian-archive-keyring package), and this is the non-trivial procedure to verify them.

1. Download the images from https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/ (choose either hd-media or netboot, then SD-card-images and download the firmware.* file for your board as well as partition.img.gz).

2. Download the checksums file https://ftp.debian.org/debian/dists/trixie/main/installer-armhf/current/images/SHA256SUMS

3. Download the Release file from https://ftp.debian.org/debian/dists/trixie/InRelease

4. Verify the Release file:

   gpg --no-default-keyring \
       --keyring /usr/share/keyrings/debian-archive-keyring.pgp \
       --verify InRelease
   

5. Verify the checksums file:

   awk '/installer-armhf\/current\/images\/SHA256SUMS/ {print $1 "
   SHA256SUMS"}' InRelease | tail -n 1 | sha256sum -c
   

   (There is probably a way to skip the tail command and use just awk)

6. Verify the actual files, for hd-media:

   grep hd-media SHA256SUMS \
   | sed 's#hd-media/SD-card-images/##' \
   | sha256sum -c --ignore-missing
   

   and for netboot:

   grep netboot SHA256SUMS \
   | sed 's#netboot/SD-card-images/##' \
   | sha256sum -c --ignore-missing
   

   and check that all of the files you wanted are there with an OK

The same procedure can be used to verify arm64 images by changing armhf to arm64 everywhere.

See also

• Vagrant on the debian-arm mailing list

• My blog post where I wrote these instructions the first time