[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#786683: debian-8.0.0-amd64-netinst.iso cannot be verified: SHA512SUM.sign broken or GPG-key not available.



Package: cdimage.debian.org

Hello,

I have a Debian Jessie up and running on one computer.
I want to install Jessie on another computer.

I downloaded debian-8.0.0-amd64-netinst.iso from some Debian
mirror and want to verify this, via the existing Jessie.  This I cannot do.

Details:

I downloaded

http://cdimage.debian.org/debian-cd/8.0.0/amd64/iso-cd/SHA512SUMS

and the pertinent line verified ok with

grep debian-8.0.0-amd64-netinst.iso SHA512SUMS | sha512sum -c

So far, so good. I downloaded

http://cdimage.debian.org/debian-cd/8.0.0/amd64/iso-cd/SHA512SUMS.sign

and tried to verify SHA512SUM with that, but (of course)

$ LANG=C gpg2 --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sun Apr 26 01:43:56 2015 CEST using RSA key ID 6294BE9B
gpg: Can't check signature: No public key

The information over at http://keyring.debian.org/ suggests that
I can retrieve the key there, but

$ LANG=C gpg2 --keyserver keyring.debian.org --recv-keys 6294BE9B
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpgkeys: key 6294BE9B can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Finally, the discussion over at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609451 seems to
suggest that SHA512SUMS.sign should have been changed some time
after "Mon, 27 Apr 2015 23:18:02 +0100", but the file is older:

$ curl -sI
http://cdimage.debian.org/debian-cd/8.0.0/amd64/iso-cd/SHA512SUMS.sign | grep -i
'last-modified'
Last-Modified: Sat, 25 Apr 2015 23:43:56 GMT

So I'm at a loss.

Where do I get the signature to verify?
Where do I get the key that signed that signature?

Regards, and thank you for providing fine software,

Andreas


Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: