The basic idea for downloading the Debian installation image in a secure way is this:
- Download the Debian public key from keyring.debian.org.
- Using that key you verify the signature of checksum file of the ISO image.
- With the checksum file you check the downloaded iso image to see if it is the original file and has not been changed or tampered with.
Here are the steps to take:
0. Most important: Make sure to follow this procedure on a computer that is secure and that you fully trust. Otherwise all of the following steps are pretty much useless.
1. Download the Debian public key:
gpg --keyserver hkp://keyring.debian.org --recv-keys 6294BE9B
Make sure the key has really been imported in your public gpg keyring:
gpg --fingerprint -k
The "--fingerprint" option shows the fingerprint of the just imported key. Compare it with the fingerprint on the official Debian website: https://www.debian.org/CD/verify
Make sure to double check the SSL certificate of that website in your browser.
2. Download the checksum file for the ISO image and the corresponding signature file:
Check the validity of the checksum file:
gpg --verify SHA512SUMS.sign
3. Check the validity of the downloaded ISO image file:
sha512sum -c SHA512SUMS