Re: Question on bad signature 180416
Hi,
Jorgen Ottosson wrote:
> $ gpg SHA1SUMS.sign
> Detached signature.
> Please enter name of data file: debian-9.4.0-amd64-xfce-CD-1.iso
> gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B
> gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>"
This is simply the wrong data file.
*SUMS.sign exists to verify *SUMS.
*SUMS exists to verify the files which it lists by its content (e.g. *.iso
or *.jigdo).
I just tried successfully:
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS
...
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS.sign ...
$ gpg --keyserver keyring.debian.org --verify SHA1SUMS.sign SHA1SUMS
gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
Important is that "Primary key fingerprint" is one of those listed on
https://www.debian.org/CD/verify
Have a nice day :)
Thomas
Reply to: