Bug#917491: debian-installer-9-netboot-amd64: Did this bug crop up again in 20170615+deb9u6 (released Apr 2019)?
Package: debian-installer-9-netboot-amd64
Version: 20170615+deb9u6
Followup-For: Bug #917491
Dear Maintainer,
Some weeks ago, my Debian stretch netboot installer told me that
I needed to update, so I proceeded to download the new files:
http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/netboot.tar.gz
http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS
http://ftp.debian.org/debian/dists/stretch/Release
http://ftp.debian.org/debian/dists/stretch/Release.gpg
and run the normal sha256 checksums on the various files, per the Debian wiki:
$cat SHA256SUMS | grep -F netboot/netboot.tar.gz
c2d37c3652f993bc07039f68cc1876ef343a9bb30fca29ca5aa9de0e93a9c4fd
./netboot/netboot.tar.gz
$sha256sum netboot.tar.gz
c2d37c3652f993bc07039f68cc1876ef343a9bb30fca29ca5aa9de0e93a9c4fd
netboot.tar.gz
$sha256sum SHA256SUMS
083e4910e7af0f6e0b40809456ff373704bb7c27731f9edd73d9d93628267a6f
SHA256SUMS
$cat Release | grep -A 100000 '^SHA256' | grep -F
installer-amd64/current/images/SHA256SUMS
083e4910e7af0f6e0b40809456ff373704bb7c27731f9edd73d9d93628267a6f
74077 main/installer-amd64/current/images/SHA256SUMS
$gpg --verify Release.gpg Release
gpg: Signature made Sat 27 Apr 2019 04:30:44 AM CDT
gpg: using RSA key
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
gpg: Good signature from "Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster@debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692
5553
gpg: Signature made Sat 27 Apr 2019 04:30:44 AM CDT
gpg: using RSA key
126C0D24BD8A2942CC7DF8AC7638D0442B90D010
gpg: Good signature from "Debian Archive Automatic Signing Key
(8/jessie) <ftpmaster@debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90
D010
gpg: Signature made Sat 27 Apr 2019 04:33:33 AM CDT
gpg: using RSA key
067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpg: Good signature from "Debian Stable Release Key (9/stretch)
<debian-release@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B
6500
I noticed that the Release file had been signed with
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
which matches the signature for "Debian Archive Automatic Signing Key (7.0/wheezy)
<ftpmaster@debian.org>"
not for "Debian Stable Release Key (9/stretch)
<debian-release@lists.debian.org>"
as I would expect for the Stretch release (stretch key for stretch
release, yes?).
A search brought me to this bug, which sounds a lot like what I've seen. If
this is a "should be reported elsewhere", I would be happy to do so. Thanks
for all your work on making the installer setups go!
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/24 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
debian-installer-9-netboot-amd64 depends on no packages.
debian-installer-9-netboot-amd64 recommends no packages.
Versions of packages debian-installer-9-netboot-amd64 suggests:
pn tftpd-hpa <none>
Reply to: