Bug#770870: Re: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
On Mon, 2014-11-24 at 12:21 -0800, Gordon Morehouse wrote:
> Debian 7.7 SHA512SUMS are signed with a key that doesn't appear to be signed
> by anyone on the Debian keyring, leaving SHA512SUMS unverifiable by any easy
This is incorrect. (I have good reason to know that it is; see below.)
> Please note that I have the debian keyring installed in GPG on the machine
> on which the following operation was performed.
> $ gpg --verify SHA512SUMS.sign
> gpg: Signature made Sun Oct 19 19:45:39 2014 PDT using RSA key ID 6294BE9B
> gpg: Good signature from "Debian CD signing key <firstname.lastname@example.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
That output says absolutely nothing about whether the key is signed by
other keys which you have available. It simply says that you have not
personally trusted the key.
Actually checking the signatures on the key reveals:
$ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-role-keys.gpg --list-sigs 6294BE9B
pub 4096R/6294BE9B 2011-01-05
uid Debian CD signing key <email@example.com>
sig 1B3045CE 2011-01-07 [User ID not found]
sig 3442684E 2011-01-05 Steve McIntyre <firstname.lastname@example.org>
sig A40F862E 2011-01-05 Neil McGovern <email@example.com>
sig C542CD59 2011-01-05 Adam D. Barratt <firstname.lastname@example.org>
sig 63C7CC90 2011-01-05 Simon McVittie <email@example.com>
sig 3 6294BE9B 2011-01-05 Debian CD signing key <firstname.lastname@example.org>
sub 4096R/11CD9819 2011-01-05
sig 6294BE9B 2011-01-05 Debian CD signing key <email@example.com>