[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP signature problems with firmware ISO images



david@dsg.is wrote:
>
>Hopefully this is the correct list to report this, if not, I'd
>appreciate it if you could point me in the right direction.

Here's OK; I'm the person who signs things... :-) I've taken a look
directly on the cdimage server at your problem reports.

>There seem to be problems with the PGP signatures for the
>debian-installer ISO images including non-free firmware hosted here:
>http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/
>
>Some of the images, such as wheezy_di_rc1, have no signatures (no .sign
>files present).

Gah, apologies for that. It looks like I forgot to put the signatures
in place there. I'll fix that right now.

>Others, such as the "current" images dated
>2013-02-23/2013-02-24, seem to have an invalid signature (I am
>verifying against keys in the debian-keyring 2012.11.15 package from
>wheezy):
>
>david@spongebob:~/Downloads$ gpg2 -v
>--keyring /usr/share/keyrings/debian-role-keys.gpg -v SHA256SUMS.sign
>gpg: armor: BEGIN PGP SIGNATURE Version: GnuPG v1.4.12 (GNU/Linux)
>:signature packet: algo 1, keyid DA87E80D6294BE9B
>        version 4, created 1361115854, md5len 0, sigclass 0x00
>        digest algo 8, begin of digest 69 3e
>        hashed subpkt 2 len 4 (sig created 2013-02-17)
>        subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
>        data: [4096 bits]
>gpg: armor header: 
>gpg: assuming signed data in `SHA256SUMS'
>gpg: Signature made sun 17.feb 2013, 15:44:14 GMT using RSA key ID
>6294BE9B gpg: using PGP trust model
>gpg: key 372523E0: accepted as trusted key
>gpg: BAD signature from "Debian CD signing key
><debian-cd@lists.debian.org>" gpg: binary signature, digest algorithm
>SHA256

This I cannot reproduce at all; I've checked all the signatures just
now and they verify OK. I think you've got a mix of files from two
places there: all of the signature files are dated "Feb 24 00:42" but
you've got a file claiming the sig was made "sun 17.feb 2013, 15:44:14
GMT". Checking the timestamps of other .sign files on the server,
that's most likely one from the main wheezy d-i RC1 release as far as
I can tell.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"It's actually quite entertaining to watch ag129 prop his foot up on
 the desk so he can get a better aim."          [ seen in ucam.chat ]


Reply to: