Hi, On Wed, Jan 17, 2018 at 08:50:17PM -0000, sejobud33@bitmessage.de wrote: >debian-cd@lists.debian.org > >Wednesday January 17 2018 > >the official cd_dvd amd64 stable/stretch are not authentic/can't be >authentified : BAD > > >https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/ >- HTTP >https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ >- TORRENT > >- LIVE DVD : idem > > >you published the keys/iso without have checked before their >validity/compatibility ? No, I've just checked things directly on the cdimage server and they signatures look fine to me. For example: debian-cd@pettersson:/mnt/nfs-cdimage/release/current/amd64/iso-dvd$ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Sun 10 Dec 2017 02:58:23 UTC gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: please do a --check-trustdb gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown] >ALL THE KEYS ARE BAD (e.g.): >gpg --verify sums512.sign sums512 >gpg: Signature made Sun 10 Dec 2017 03:58:21 CET >gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B >gpg: Can't check signature: No public key sums512.sign and sums512 are not the same filenames as on the server. Whatever you're doing with those files might be breaking the integrity of the signatures... >9.0. is not available (9.3 only ! ). >could you put on line asap the debian 9.0.0. stretch stable or update >9.3.0. with the right keys ? All the older releases are also available from https://cdimage.debian.org/cdimage/archive/ if you need them. >*or my gtkhash/cli is broken and reporting this is a big error but in case >of doubt i do it , sorry. No problem - thanks for raising your concerns, but all looks OK to me. -- Steve McIntyre, Cambridge, UK. steve@einval.com "I can't ever sleep on planes ... call it irrational if you like, but I'm afraid I'll miss my stop" -- Vivek Das Mohapatra
Attachment:
signature.asc
Description: PGP signature