Re: PGP signature problems with firmware ISO images

To: Steve McIntyre <steve@einval.com>
Cc: debian-boot@lists.debian.org
Subject: Re: PGP signature problems with firmware ISO images
From: Davíð Steinn Geirsson <david@dsg.is>
Date: Wed, 20 Mar 2013 17:59:01 +0000
Message-id: <20130320175901.6071e1d4@spongebob.dsg.to>
In-reply-to: <E1UINAk-0002jp-Aw@mail.einval.com>
References: <20130320164216.69ed7a70@spongebob.dsg.to> <E1UINAk-0002jp-Aw@mail.einval.com>

Hi,

On Wed, 20 Mar 2013 17:51:34 +0000
Steve McIntyre <steve@einval.com> wrote:

> david@dsg.is wrote:
> >
> >Hopefully this is the correct list to report this, if not, I'd
> >appreciate it if you could point me in the right direction.
> 
> Here's OK; I'm the person who signs things... :-) I've taken a look
> directly on the cdimage server at your problem reports.
> 
> >There seem to be problems with the PGP signatures for the
> >debian-installer ISO images including non-free firmware hosted here:
> >http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/
> >
> >Some of the images, such as wheezy_di_rc1, have no signatures
> >(no .sign files present).
> 
> Gah, apologies for that. It looks like I forgot to put the signatures
> in place there. I'll fix that right now.
> 

Thanks.

> >Others, such as the "current" images dated
> >2013-02-23/2013-02-24, seem to have an invalid signature (I am
> >verifying against keys in the debian-keyring 2012.11.15 package from
> >wheezy):
> >
> >david@spongebob:~/Downloads$ gpg2 -v
> >--keyring /usr/share/keyrings/debian-role-keys.gpg -v SHA256SUMS.sign
> >gpg: armor: BEGIN PGP SIGNATURE Version: GnuPG v1.4.12 (GNU/Linux)
> >:signature packet: algo 1, keyid DA87E80D6294BE9B
> >        version 4, created 1361115854, md5len 0, sigclass 0x00
> >        digest algo 8, begin of digest 69 3e
> >        hashed subpkt 2 len 4 (sig created 2013-02-17)
> >        subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
> >        data: [4096 bits]
> >gpg: armor header: 
> >gpg: assuming signed data in `SHA256SUMS'
> >gpg: Signature made sun 17.feb 2013, 15:44:14 GMT using RSA key ID
> >6294BE9B gpg: using PGP trust model
> >gpg: key 372523E0: accepted as trusted key
> >gpg: BAD signature from "Debian CD signing key
> ><debian-cd@lists.debian.org>" gpg: binary signature, digest algorithm
> >SHA256
> 
> This I cannot reproduce at all; I've checked all the signatures just
> now and they verify OK. I think you've got a mix of files from two
> places there: all of the signature files are dated "Feb 24 00:42" but
> you've got a file claiming the sig was made "sun 17.feb 2013, 15:44:14
> GMT". Checking the timestamps of other .sign files on the server,
> that's most likely one from the main wheezy d-i RC1 release as far as
> I can tell.
> 

Yes, I was a bit hasty there, I had an older SHA256SUMS.sign file that
I was verifying; wget downloaded the new one to SHA256SUMS.sign.1.
Sorry about the false alarm.

Thanks again for the prompt response.

Best regards,
Davíð Steinn Geirsson
david@dsg.is

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- PGP signature problems with firmware ISO images
  - From: Davíð Steinn Geirsson <david@dsg.is>
- Re: PGP signature problems with firmware ISO images
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: PGP signature problems with firmware ISO images
Next by Date: Bug#703146: #703146 release critical?
Previous by thread: Re: PGP signature problems with firmware ISO images
Next by thread: Bug#703404: Also encountered this during a testing netinstall.
Index(es):
- Date
- Thread