Re: Question on bad signature 180416

To: debian-cd@lists.debian.org
Cc: otto@de.acme.nu
Subject: Re: Question on bad signature 180416
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Mon, 16 Apr 2018 12:00:41 +0200
Message-id: <[🔎] 12493779181941945745@scdbackup.webframe.org>
In-reply-to: <[🔎] alpine.DEB.2.10.1804161106020.16939@de.acme.nu>
References: <[🔎] alpine.DEB.2.10.1804161106020.16939@de.acme.nu>

Hi,

Jorgen Ottosson wrote:
> $ gpg SHA1SUMS.sign
> Detached signature.
> Please enter name of data file: debian-9.4.0-amd64-xfce-CD-1.iso
> gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B
> gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>"

This is simply the wrong data file.

*SUMS.sign exists to verify *SUMS.
*SUMS exists to verify the files which it lists by its content (e.g. *.iso
or *.jigdo).

I just tried successfully:

  $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS
  ...
  $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS.sign  ...
  $ gpg --keyserver keyring.debian.org --verify SHA1SUMS.sign SHA1SUMS
  gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B
  gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

Important is that "Primary key fingerprint" is one of those listed on
  https://www.debian.org/CD/verify

Have a nice day :)

Thomas

Reply to:

References:
- Question on bad signature 180416
  - From: Jorgen Ottosson <otto@de.acme.nu>

Prev by Date: Re: Question on bad signature 180416
Next by Date: Re: Beep twice when install starts
Previous by thread: Re: Question on bad signature 180416
Next by thread: Bug#896638: debian-cd: Unable to build CD image with unsigned repository
Index(es):
- Date
- Thread