Re: cannot find public key for verifying SHASUM file for debian live iso

To: debian-user@lists.debian.org
Subject: Re: cannot find public key for verifying SHASUM file for debian live iso
From: davidson@ling.ohio-state.edu
Date: Mon, 11 Aug 2014 00:46:14 -0400 (EDT)
Message-id: <[🔎] alpine.DEB.2.02.1408110030190.23415@brutus.ling.ohio-state.edu>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20140811040234.GA17203@x60s.casa>
References: <[🔎] alpine.DEB.2.02.1408102153430.22239@brutus.ling.ohio-state.edu> <[🔎] 20140811040234.GA17203@x60s.casa>

On Mon, 11 Aug 2014, Francesco Ariis wrote:

On Sun, Aug 10, 2014 at 10:34:21PM -0400, davidson@ling.ohio-state.edu wrote:

| $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign
| gpgv: armor: BEGIN PGP SIGNATURE
| gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
| :signature packet: algo 1, keyid DA87E80D6294BE9B
|         version 4, created 1406210061, md5len 0, sigclass 0x00
|         digest algo 8, begin of digest fc 43
|         hashed subpkt 2 len 4 (sig created 2014-07-24)
|         subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
|         data: [4096 bits]
| gpgv: assuming signed data in `SHA512SUMS'
| gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B
| gpgv: Can't check signature: public key not found

This was not the outcome I was hoping for, but I am not sure what to
do next.


Hello Wes,

It seems the key ID 6294BE9B is found in
/usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that.


Francesco, thank you!

That worked much better:

| $ gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg -vv -- SHA512SUMS.sign
| gpgv: armor: BEGIN PGP SIGNATURE
| gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
| :signature packet: algo 1, keyid DA87E80D6294BE9B
|         version 4, created 1406210061, md5len 0, sigclass 0x00
|         digest algo 8, begin of digest fc 43
|         hashed subpkt 2 len 4 (sig created 2014-07-24)
|         subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
|         data: [4096 bits]
| gpgv: assuming signed data in `SHA512SUMS'
| gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B
| gpgv: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
| gpgv: binary signature, digest algorithm SHA256

And the Debian CD signing key is a "role key", of course.  Makes
perfect sense, in retrospect, when I read this:

/usr/share/doc/debian-keyring/README
| What the keyrings are
| ---------------------
[snip]
|  o debian-role-keys.gpg
|
|     This is the keyring used to contain role account keys, such as
|     "ftp-master" (it contains the key used to sign the Release files
|     in the archive).

I am grateful for your help.

-wes


I was thinking of writing a three line paragraph to make the wiki [2] more
clear on the matter (i.e. provide the gpgv command with the specific file
to pass to --keyring), but after reading this:

   Official role keys have gradually replaced the use of personal keys
   belonging to developers. However, a decision was made not to go back and
   re-sign all the old releases that were already signed using the older keys.

I am unsure on whether Jessie and future releases will have their .iso signed
by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed
light on the matter?

[1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg
[2] http://www.debian.org/CD/verify

Reply to:

References:
- cannot find public key for verifying SHASUM file for debian live iso
  - From: davidson@ling.ohio-state.edu
- Re: cannot find public key for verifying SHASUM file for debian live iso
  - From: Francesco Ariis <fa-ml@ariis.it>

Prev by Date: Re: cannot find public key for verifying SHASUM file for debian live iso
Next by Date: dd
Previous by thread: Re: cannot find public key for verifying SHASUM file for debian live iso
Next by thread: Re: cannot find public key for verifying SHASUM file for debian live iso
Index(es):
- Date
- Thread