Hi, On Wed, 20 Mar 2013 17:51:34 +0000 Steve McIntyre <steve@einval.com> wrote: > david@dsg.is wrote: > > > >Hopefully this is the correct list to report this, if not, I'd > >appreciate it if you could point me in the right direction. > > Here's OK; I'm the person who signs things... :-) I've taken a look > directly on the cdimage server at your problem reports. > > >There seem to be problems with the PGP signatures for the > >debian-installer ISO images including non-free firmware hosted here: > >http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/ > > > >Some of the images, such as wheezy_di_rc1, have no signatures > >(no .sign files present). > > Gah, apologies for that. It looks like I forgot to put the signatures > in place there. I'll fix that right now. > Thanks. > >Others, such as the "current" images dated > >2013-02-23/2013-02-24, seem to have an invalid signature (I am > >verifying against keys in the debian-keyring 2012.11.15 package from > >wheezy): > > > >david@spongebob:~/Downloads$ gpg2 -v > >--keyring /usr/share/keyrings/debian-role-keys.gpg -v SHA256SUMS.sign > >gpg: armor: BEGIN PGP SIGNATURE Version: GnuPG v1.4.12 (GNU/Linux) > >:signature packet: algo 1, keyid DA87E80D6294BE9B > > version 4, created 1361115854, md5len 0, sigclass 0x00 > > digest algo 8, begin of digest 69 3e > > hashed subpkt 2 len 4 (sig created 2013-02-17) > > subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) > > data: [4096 bits] > >gpg: armor header: > >gpg: assuming signed data in `SHA256SUMS' > >gpg: Signature made sun 17.feb 2013, 15:44:14 GMT using RSA key ID > >6294BE9B gpg: using PGP trust model > >gpg: key 372523E0: accepted as trusted key > >gpg: BAD signature from "Debian CD signing key > ><debian-cd@lists.debian.org>" gpg: binary signature, digest algorithm > >SHA256 > > This I cannot reproduce at all; I've checked all the signatures just > now and they verify OK. I think you've got a mix of files from two > places there: all of the signature files are dated "Feb 24 00:42" but > you've got a file claiming the sig was made "sun 17.feb 2013, 15:44:14 > GMT". Checking the timestamps of other .sign files on the server, > that's most likely one from the main wheezy d-i RC1 release as far as > I can tell. > Yes, I was a bit hasty there, I had an older SHA256SUMS.sign file that I was verifying; wget downloaded the new one to SHA256SUMS.sign.1. Sorry about the false alarm. Thanks again for the prompt response. Best regards, Davíð Steinn Geirsson david@dsg.is
Attachment:
signature.asc
Description: PGP signature