[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770870: Re: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

On Mon, 2014-11-24 at 12:21 -0800, Gordon Morehouse wrote:
> Debian 7.7 SHA512SUMS are signed with a key that doesn't appear to be signed
> by anyone on the Debian keyring, leaving SHA512SUMS unverifiable by any easy
> means.

This is incorrect. (I have good reason to know that it is; see below.)

> Please note that I have the debian keyring installed in GPG on the machine
> on which the following operation was performed.
> $ gpg --verify SHA512SUMS.sign
> gpg: Signature made Sun Oct 19 19:45:39 2014 PDT using RSA key ID 6294BE9B
> gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

That output says absolutely nothing about whether the key is signed by
other keys which you have available. It simply says that you have not
personally trusted the key.

Actually checking the signatures on the key reveals:

$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg  --keyring /usr/share/keyrings/debian-role-keys.gpg --list-sigs 6294BE9B 
pub   4096R/6294BE9B 2011-01-05
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sig          1B3045CE 2011-01-07  [User ID not found]
sig          3442684E 2011-01-05  Steve McIntyre <steve@einval.com>
sig          A40F862E 2011-01-05  Neil McGovern <neil@halon.org.uk>
sig          C542CD59 2011-01-05  Adam D. Barratt <adam@adam-barratt.org.uk>
sig          63C7CC90 2011-01-05  Simon McVittie <smcv@pseudorandom.co.uk>
sig 3        6294BE9B 2011-01-05  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05
sig          6294BE9B 2011-01-05  Debian CD signing key <debian-cd@lists.debian.org>



Reply to: