Package: cdimage.debian.org Hello, I have a Debian Jessie up and running on one computer. I want to install Jessie on another computer. I downloaded debian-8.0.0-amd64-netinst.iso from some Debian mirror and want to verify this, via the existing Jessie. This I cannot do. Details: I downloaded http://cdimage.debian.org/debian-cd/8.0.0/amd64/iso-cd/SHA512SUMS and the pertinent line verified ok with grep debian-8.0.0-amd64-netinst.iso SHA512SUMS | sha512sum -c So far, so good. I downloaded http://cdimage.debian.org/debian-cd/8.0.0/amd64/iso-cd/SHA512SUMS.sign and tried to verify SHA512SUM with that, but (of course) $ LANG=C gpg2 --verify SHA512SUMS.sign gpg: assuming signed data in 'SHA512SUMS' gpg: Signature made Sun Apr 26 01:43:56 2015 CEST using RSA key ID 6294BE9B gpg: Can't check signature: No public key The information over at http://keyring.debian.org/ suggests that I can retrieve the key there, but $ LANG=C gpg2 --keyserver keyring.debian.org --recv-keys 6294BE9B gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpgkeys: key 6294BE9B can't be retrieved gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Finally, the discussion over at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609451 seems to suggest that SHA512SUMS.sign should have been changed some time after "Mon, 27 Apr 2015 23:18:02 +0100", but the file is older: $ curl -sI http://cdimage.debian.org/debian-cd/8.0.0/amd64/iso-cd/SHA512SUMS.sign | grep -i 'last-modified' Last-Modified: Sat, 25 Apr 2015 23:43:56 GMT So I'm at a loss. Where do I get the signature to verify? Where do I get the key that signed that signature? Regards, and thank you for providing fine software, Andreas
Attachment:
signature.asc
Description: OpenPGP digital signature