Verifying a zip file download and the Debian source files: ========================================================= How to verify the .zip files available at: https://www.pvv.ntnu.no/~torfer/upload-ausweisapp/ 1) Verify a zip file's bit integrity ------------------------------------ After downloading a backport's .zip file and its corresponding .md5sum file over https, you can verify the .zip file's bit integrity with this command: md5sum -c ausweisapp-2.3.2_bookworm-backport.unofficial_2025-07-12.zip.md5sum output: ausweisapp-2.3.2_bookworm-backport.unofficial_2025-07-12.zip: OK If you trust PVV's https certificates etc (in the same way you trust most web servers that use https), then you can be pretty sure that the md5sum check is OK and that the .zip and the .md5sum files you downloaded actually were downloaded from PVV's web server. You would still want to use the Debian tools, though, if you are methodical: 2) Debian apt secure (source and package verification): ------------------------------------------------------ You can use Debian's own tools to verify that the original source is actually from Debian by downloading it yourself from an official Debian repository ('apt source ') and then see and investigate which files were modified to make the backport in the downloaded zip file: see the README file inside the zip file on how to do that. In other words, this way you can verify Debian's original source package and compare this original source with the backported changes, all in the comfort of your own machine's command line, using trusted tools and information (if you trust Debian, that is). That using 'apt source ' etc is sufficient to verify Debian's source integrity is due to the apt trust system. You can read about it in the man pages ('man apt-secure') or by pointing your browser to the Debian Handbook [1]: https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html or to: https://wiki.debian.org/SecureApt You can also install the Debian Handbook on your own system with this command: sudo apt install debian-handbook (1) and (2) should normally suffice to verify a backport's source (the downloaded zip file's content). But see further below how to verify gpg signatures if you need more assurance, like if you do not fully trust PVV and the files their web server distributes, but trust me (the backporter). Extras: ====== 3) Finding old source versions: ------------------------------ If an ausweisapp version mentioned in a backport's README (e.g. version 2.3.1-1) is no longer available in a Debian repositiory (typically because it has been replaced by a newer version uploaded to the apt repository by Debian), you can still get hold of the source: If you download the AusweissApp source from Debian's official repositories (command: 'apt source ausweisapp'), you get a ausweisapp2_*.dsc file (e.g. ausweisapp2_2.3.2-1.dsc). From it you can get the URLs to where AusweisApp's Debian source is available (along with the release versions), for examlpe by running 'less ausweisapp2_2.3.2-1.dsc' and looking for the lines that start with 'Vcs-Browser:' or 'Vcs-Git:', or by extracting these URLs by running this command: awk '$1 ~ /^Vcs-Browser|^Vcs-Git/ {print $2}' ausweisapp2_2.3.2-1.dsc output: https://salsa.debian.org/debian/ausweisapp2 https://salsa.debian.org/debian/ausweisapp2.git (I could of course have given you these URLs directly, but I just showed you how to get them yourself from many of Debian's (free) packages, in the comfort of your own machine's command line and from a trusted and relevant source of information.) At these URLs you can get any particular release version of Debian's ausweisapp source files, for example here: https://salsa.debian.org/debian/ausweisapp2/-/commits/master?ref_type=heads With this you can do comparisons of source files. However, how you go on from here is beyond the scope of this text. Just wanted to point out that there are options available. If you are a beginner, you are probably better off picking a backport of an ausweisapp version that still is available in Debian's regular repositories (like 'testing' or 'unstable'; and as already mentioned, see the .zip file's README how to do this). 4) Verifying the detached gpg signature: --------------------------------------- You can verify that the .md5sum file is from the backporter (and indirectly therefore also that the zip file you md5sum-bit-verified above also is from the backporter): you can ask for my public gpg key and then gpg-verify my detached gpg signature (the .asc file) of the .md5sum file, with this command: LANG=en_US.UTF-8 LANGUAGE=en gpg --verify ausweisapp-2.3.2_bookworm-backport.unofficial_2025-07-12.zip.md5sum.asc output: gpg: assuming signed data in 'ausweisapp-2.3.2_bookworm-backport.unofficial_2025-07-12.zip.md5sum' gpg: Signature made Sat 12 Jul 2025 07:56:50 PM CEST gpg: using RSA key XXXXXXXXXYYYYYYYYYYYZZZZZZZZZZZ111111111 gpg: Good signature from "Some Name " [ultimate] ... For this to work the .md5sum and the .md5sum.asc file must be in the same folder. (If placed in different folders you must use the proper gpg command line options.) If all is well, gpg will say "Good signature from ..." as shown in the gpg output above. But you will not see an "ultimate" trust in my key, as I have in my own key. (Above I have left out my name, RSA key ID and emails from the gpg output because I don't want automated web crawlers to make automated mischief with my name and email. But they are not secrets: you can deduce my email from this page's URL, and you can send me an email to ask for my public gpg key. Don't hesitate to ask. Besides, gpg "best practices" also require communication via a different medium for (a) key meta-information verification and (b) person identification. Disclosing further meta-information about my gpg key is useless without this extra communication effort besides www-browsing. So, if you don't want to do these 2 pieces of extra effort you are better off just sticking with https and Debian's own apt secure as outlined above, since then my gpg key is of no use and would only be a cosmetic waste of time and effort; unless you already gpg-communicate with somebody else who trusts my key to some degree, which would be very few and therefore an unlikely scenario, indeed.) Footnotes: [1] After you have undestood how Debian's "secure apt" works, here are two questions for you: How can you verify that the Debian gpg release keys are valid and that they and the installation medium actually are from Debian? Have you done it yet?