Confusing, isn't it!?
It's as clear as mud.
Using this page as an example"
https://cdimage.debian.org/debian-cd/cu ... 4/iso-dvd/
You can get the 2 files by right clicking the link and choosing save as...
or I use wget from a terminal opened in the directory where the *.iso and check files are stored together.
Code:
wget https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/SHA256SUMSCode:
wget https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/SHA256SUMS.signIf needed:
Code:
sudo apt install wgetThen:
Code:
gpg --verify SHA256SUMS.sign SHA256SUMSIF they verify AND you have the key on your system, the responce will look like this:
gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Sat 10 Jan 2026 04:07:31 PM EST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key debian-cd@lists.debian.org" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
This is what you want:
gpg: Good signature from "Debian CD signing key debian-cd@lists.debian.org"
And you can ignore the warning, it's normal:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
IF you do not have the key on your system the responce will look like this:
gpg: directory '/home/mysystem/.gnupg' created
gpg: keybox '/home/mysystem/.gnupg/pubring.kbx' created
gpg: Signature made Sat 10 Jan 2026 04:07:31 PM EST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
One way to get the key is by using the last 8 characters of the RSA key:
6294BE9B
In a terminal:
Code:
gpg --keyserver keyring.debian.org --recv 6294BE9BAdditional resources:
https://www.debian.org/CD/verify
https://www.cyberciti.biz/faq/verify-do ... using-gpg/
https://linuxconfig.org/how-to-verify-a ... iso-images
The rest of the story:
For the above and following you want the ISO, SHA256SUMS.sign and SHA256SUMS file in the same directory/folder and enter commands in a terminal opened in that same folder.
This part you said you already got, but to complete the process:
Code:
sha256sum --check --ignore-missing SHA256SUMSStatistics: Posted by MintMagoo — 2026-01-28 04:10