[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MAUVAISE SIGNATURE official release Debian12.11.0-amd64-DVD-1



Aline <patrick970vert@proton.me> (2025-05-28):
> ____________________________________________________________
> ls /etc/apt/trusted.gpg.d/
> debian-archive-bookworm-automatic.asc debian-archive-bullseye-automatic.asc debian-archive-trixie-automatic.asc
> debian-archive-bookworm-security-automatic.asc debian-archive-bullseye-security-automatic.asc debian-archive-trixie-security-automatic.asc
> debian-archive-bookworm-stable.asc debian-archive-bullseye-stable.asc debian-archive-trixie-stable.asc_____________________________________________________________
> It does not match :
> SHA256SUMS.signSHA512SUMS.sign
> 
> ------------------------------------------------------------------------------------------------------
> gpg --verify SHA256SUMS.sign debian-12.11.0-amd64-DVD-1.iso
> gpg: Signature faite le sam. 17 mai 2025 19:55:59 CEST
> gpg: avec la clef RSA DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> gpg: MAUVAISE signature de « Debian CD signing key <debian-cd@lists.debian.org> » [inconnu]
> 
> gpg --verify SHA512SUMS.sign debian-12.11.0-amd64-DVD-1.iso
> gpg: Signature faite le sam. 17 mai 2025 19:55:59 CEST
> gpg: avec la clef RSA DF9B9C49EAA9298432589D76DA87E80D6294BE9Bgpg: MAUVAISE signature de « Debian CD signing key <debian-cd@lists.debian.org> » [inconnu]

https://www.debian.org/CD/verify is pretty explicit:

    Pour s'assurer que les fichiers de sommes de contrôle sont eux-mêmes
    corrects, utilisez une implémentation de OpenPGP (telle que GnuPG,
    Sequoia-PGP, PGPainless ou GopenPGP) pour les vérifier à l'aide des
    fichiers de signatures qui les accompagnent (par exemple
    SHA512SUMS.sign).

And both signatures are OK:

    kibi@tokyo:~$ gpg --verify SHA256SUMS.sign SHA256SUMS
    gpg: Signature made Sat 17 May 2025 19:55:59 CEST
    gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [ultimate]

    kibi@tokyo:~$ gpg --verify SHA512SUMS.sign SHA512SUMS
    gpg: Signature made Sat 17 May 2025 19:55:59 CEST
    gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [ultimate]


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature


Reply to: