Hi all,
Hopefully this is the correct list to report this, if not, I'd
appreciate it if you could point me in the right direction.
There seem to be problems with the PGP signatures for the
debian-installer ISO images including non-free firmware hosted here:
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/
Some of the images, such as wheezy_di_rc1, have no signatures (no .sign
files present). Others, such as the "current" images dated
2013-02-23/2013-02-24, seem to have an invalid signature (I am
verifying against keys in the debian-keyring 2012.11.15 package from
wheezy):
david@spongebob:~/Downloads$ gpg2 -v
--keyring /usr/share/keyrings/debian-role-keys.gpg -v SHA256SUMS.sign
gpg: armor: BEGIN PGP SIGNATURE Version: GnuPG v1.4.12 (GNU/Linux)
:signature packet: algo 1, keyid DA87E80D6294BE9B
version 4, created 1361115854, md5len 0, sigclass 0x00
digest algo 8, begin of digest 69 3e
hashed subpkt 2 len 4 (sig created 2013-02-17)
subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
data: [4096 bits]
gpg: armor header:
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made sun 17.feb 2013, 15:44:14 GMT using RSA key ID
6294BE9B gpg: using PGP trust model
gpg: key 372523E0: accepted as trusted key
gpg: BAD signature from "Debian CD signing key
<debian-cd@lists.debian.org>" gpg: binary signature, digest algorithm
SHA256
For now, I'll hold off on installing these images, but it would be
great to get this fixed, as I have some hardware that requires
a firmware blob for the ethernet card.
PS: I'm not subscribed to the list, so in case you need more
information, please contact me directly.
Best regards,
Davíð Steinn Geirsson
david@dsg.is
Attachment:
signature.asc
Description: PGP signature