Workaround: I found the missing key in the file obtainable via rsync -az keyring.debian.org::keyrings/keyrings/debian-role-keys.gpg . After importing the keys from that file, I could finally verify: $ LANG=C gpg2 --verify SHA512SUMS.sign gpg: assuming signed data in 'SHA512SUMS' gpg: Signature made Sun Apr 26 01:43:56 2015 CEST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Regards, and thank you for providing fine software and infrastructure, Andreas
Attachment:
signature.asc
Description: OpenPGP digital signature