On Sun, Aug 10, 2014 at 10:34:21PM -0400, davidson@ling.ohio-state.edu wrote:
> | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign
> | gpgv: armor: BEGIN PGP SIGNATURE
> | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
> | :signature packet: algo 1, keyid DA87E80D6294BE9B
> | version 4, created 1406210061, md5len 0, sigclass 0x00
> | digest algo 8, begin of digest fc 43
> | hashed subpkt 2 len 4 (sig created 2014-07-24)
> | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
> | data: [4096 bits]
> | gpgv: assuming signed data in `SHA512SUMS'
> | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B
> | gpgv: Can't check signature: public key not found
>
> This was not the outcome I was hoping for, but I am not sure what to
> do next.
Hello Wes,
It seems the key ID 6294BE9B is found in
/usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that.
I was thinking of writing a three line paragraph to make the wiki [2] more
clear on the matter (i.e. provide the gpgv command with the specific file
to pass to --keyring), but after reading this:
Official role keys have gradually replaced the use of personal keys
belonging to developers. However, a decision was made not to go back and
re-sign all the old releases that were already signed using the older keys.
I am unsure on whether Jessie and future releases will have their .iso signed
by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed
light on the matter?
[1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg
[2] http://www.debian.org/CD/verify
Attachment:
signature.asc
Description: Digital signature