Sorry for an error in text below, the file containing: da34180d8f618a6a311fe31fb08508496eb91601 debian-9.4.0-amd64-netinst.iso 341cbaf33c632891e23f0b2bffaebf2856a868fe debian-9.4.0-amd64-xfce-CD-1.isoc5dfa66c6885fbfe476b0da381d77145c994c629 debian-mac-9.4.0-amd64-netinst.iso
is https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS The SHA1SUMS.sign file contains: -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE35ucSeqpKYQyWJ122ofoDWKUvpsFAlqsLi8ACgkQ2ofoDWKU vpuaJw/+My2T7TuRb6VQVjqbQmBj8hrfK8/pwDXD1fu/b6p5h/aBPJroGSl/VJCY URQe6fF/D1hxr1+odVahv8+FhoEsSEBet7Vvlfzw/1OAq327xBUlbHbxoOD0/0c4 bf5JWbPi1hxId2cIftnhoR3IeJPwaWdiUfF0E51Ci3ycLmQJmAPk/8wXsDDn4IE3 lerKYnLwKtohQNOOYbQ3k4795te2UjAVxbcraunqFu4nHjZZ907GoWQrzZtbURpx R9HBVcKt+F7XOLGAIkKwACdUlmjYrhCIwY58ZCjzW69B1W7lPmbDT1TR4pICCqN+ HGoNnqTiDMwc5EGtCrZppByipB02qs5CNQBdoJwHpFKw+CwcyP68Jqx8YMo0KAri roq/vWApMLO0bsRDmOoGjPbo8b1+MgeFw4NSbpqLSHGGQbegqyGPkz4DriSkzhd/ QmusgTA5nalIwDoJjAJeNFnLVYMPB7w/i+Jupaune4C5vQ4p0wu15YRKdwIfCY6J 67fPqx7wCrvqPWAGSNfRa4VyKQtjLWE8H83tAKkQFI8QdkNyBmzRFzH2zjW3BSLG /mkEfqiwJmeKOwonKhSKPXRYde5GrTiiTR1gPnPXKeEkQJBTdI84SgeM87dMpAyY uUv9p3rK7CEAGZdSCJmf27e1K0E7LOw1+ceXIRpAwvv9ipLtXDk= =cSpx -----END PGP SIGNATURE----- /Jorgen On Mon, 16 Apr 2018, Jorgen Ottosson wrote:
Date: Mon, 16 Apr 2018 11:11:27 +0200 (CEST) From: Jorgen Ottosson <otto@de.acme.nu> To: debian-cd@lists.debian.org Subject: Question on bad signature 180416 Hi,I have tested verifying the sig on the SHA1 file from here: https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/but have not been successful in doing so. Example: ----- $ gpg SHA1SUMS.sign Detached signature. Please enter name of data file: debian-9.4.0-amd64-xfce-CD-1.iso gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" ----- The SHA1SUMS.sign file contains: da34180d8f618a6a311fe31fb08508496eb91601 debian-9.4.0-amd64-netinst.iso 341cbaf33c632891e23f0b2bffaebf2856a868fe debian-9.4.0-amd64-xfce-CD-1.iso c5dfa66c6885fbfe476b0da381d77145c994c629 debian-mac-9.4.0-amd64-netinst.isoAm I missing something? This should indicate some error in data etc, if key was unsigned locally it would clearly indicate that the sig checks mathematically but is not trusted, ie sig checks but it not verified.Any comments welcome. SY, Jorgen