[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iso_keys

debian-cd@lists.debian.org

Wednesday January 17 2018

the official cd_dvd amd64 stable/stretch are not authentic/can't be
authentified : BAD


https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/
- HTTP
https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/
- TORRENT

- LIVE DVD : idem


you published the keys/iso without have checked before their
validity/compatibility ?



ALL THE KEYS ARE BAD (e.g.):
gpg --verify sums512.sign sums512
gpg: Signature made Sun 10 Dec 2017 03:58:21 CET
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key

gpg --keyserver keyring.debian.org --recv-key
DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key
<debian-cd@lists.debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Signature made Sun 10 Dec 2017 03:58:21 CET
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key
<debian-cd@lists.debian.org>" [un

********************************
gpg --verify MD5SUMS.sign MD5SUMS
gpg: Signature made Sat 09 Dec 2017 09:58:24 PM EST
GOOD SIGNATURE
********************************
it sounds that these errors compromise apt-transport-https_sks ,
trusted.gpg.d (missing keys) _ sources.list.save & maybe gpg but i am not
certain of that.

*keys have changed new Sun 10 Dec 2017_old Sat 09 Dec 2017.

it is bizarre that before the linux security update the signature made Sat
09 Dec 2017 was good but today , it is bad.
does not an updated-key remember its revoked-key one (same cd-key) ?
should not it be written revoked instead of bad ?
is something wrong in the keyring ?
stolen-falsified keys/hacked site ?
a segment-fault on a server ?
fake debian.org site (i verified the cert(green) with the help of the
calomel-addon & i did not notice something wrong.)?
______________________________________________________________________



9.0. is not available (9.3 only ! ).
could you put on line asap the debian 9.0.0. stretch stable or update
9.3.0. with the right keys ?


_______________________________________________________________________

*or my gtkhash/cli is broken and reporting this is a big error but in case
of doubt i do it , sorry.

thx.




[To make life easier for users, here are the fingerprints for the keys
that have been used for releases in recent years:]

pub   4096R/64E6EA7D 2009-10-03
      Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
uid                  Debian CD signing key <debian-cd@lists.debian.org>

pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05

pub   4096R/09EA8AC3 2014-04-15
      Key fingerprint = F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
uid                  Debian Testing CDs Automatic Signing Key
<debian-cd@lists.debian.org>
sub   4096R/6BD05CFB 2014-04-15
Reply to: