Re: MAUVAISE SIGNATURE official release Debian12.11.0-amd64-DVD-1

To: Aline <patrick970vert@proton.me>
Cc: "debian-cd@lists.debian.org" <debian-cd@lists.debian.org>
Subject: Re: MAUVAISE SIGNATURE official release Debian12.11.0-amd64-DVD-1
From: Cyril Brulebois <kibi@debian.org>
Date: Wed, 28 May 2025 05:02:18 +0200
Message-id: <[🔎] 20250528030218.6ezndcjm6rov4d5y@mraw.org>
In-reply-to: <[🔎] VjAsiUmhIW6pI1UEIQdtslnt6DTWYZ__iv0iZgl-tKuN9x5m2cimMpDH_NRLNQDkSwJtA00tBsBE9wWEIGMqsbaYkp8SjHMl8R0MD92Wqwg=@proton.me>
References: <[🔎] VjAsiUmhIW6pI1UEIQdtslnt6DTWYZ__iv0iZgl-tKuN9x5m2cimMpDH_NRLNQDkSwJtA00tBsBE9wWEIGMqsbaYkp8SjHMl8R0MD92Wqwg=@proton.me>

Aline <patrick970vert@proton.me> (2025-05-28):
> ____________________________________________________________
> ls /etc/apt/trusted.gpg.d/
> debian-archive-bookworm-automatic.asc debian-archive-bullseye-automatic.asc debian-archive-trixie-automatic.asc
> debian-archive-bookworm-security-automatic.asc debian-archive-bullseye-security-automatic.asc debian-archive-trixie-security-automatic.asc
> debian-archive-bookworm-stable.asc debian-archive-bullseye-stable.asc debian-archive-trixie-stable.asc_____________________________________________________________
> It does not match :
> SHA256SUMS.signSHA512SUMS.sign
> 
> ------------------------------------------------------------------------------------------------------
> gpg --verify SHA256SUMS.sign debian-12.11.0-amd64-DVD-1.iso
> gpg: Signature faite le sam. 17 mai 2025 19:55:59 CEST
> gpg: avec la clef RSA DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> gpg: MAUVAISE signature de « Debian CD signing key <debian-cd@lists.debian.org> » [inconnu]
> 
> gpg --verify SHA512SUMS.sign debian-12.11.0-amd64-DVD-1.iso
> gpg: Signature faite le sam. 17 mai 2025 19:55:59 CEST
> gpg: avec la clef RSA DF9B9C49EAA9298432589D76DA87E80D6294BE9Bgpg: MAUVAISE signature de « Debian CD signing key <debian-cd@lists.debian.org> » [inconnu]

https://www.debian.org/CD/verify is pretty explicit:

    Pour s'assurer que les fichiers de sommes de contrôle sont eux-mêmes
    corrects, utilisez une implémentation de OpenPGP (telle que GnuPG,
    Sequoia-PGP, PGPainless ou GopenPGP) pour les vérifier à l'aide des
    fichiers de signatures qui les accompagnent (par exemple
    SHA512SUMS.sign).

And both signatures are OK:

    kibi@tokyo:~$ gpg --verify SHA256SUMS.sign SHA256SUMS
    gpg: Signature made Sat 17 May 2025 19:55:59 CEST
    gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [ultimate]

    kibi@tokyo:~$ gpg --verify SHA512SUMS.sign SHA512SUMS
    gpg: Signature made Sat 17 May 2025 19:55:59 CEST
    gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [ultimate]


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- MAUVAISE SIGNATURE official release Debian12.11.0-amd64-DVD-1
  - From: Aline <patrick970vert@proton.me>

Prev by Date: MAUVAISE SIGNATURE official release Debian12.11.0-amd64-DVD-1
Next by Date: Re: tasksel vs. trixie?
Previous by thread: MAUVAISE SIGNATURE official release Debian12.11.0-amd64-DVD-1
Index(es):
- Date
- Thread