Re: mismatch 9.0-live & 9.3
On 2018-01-19, Thomas Schmitt <scdbackup@gmx.net> wrote:
> Hi,
>
> i just did this
>
> wget https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS.sign
> wget https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS
> gpg --verify SHA512SUMS.sign SHA512SUMS
>
> The latter says
> gpg: Signature made Sun 18 Jun 2017 02:32:31 AM CEST using RSA key ID 6294BE9B
> gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
What is the difference between your output and the OP's?
Just the "[unknown]" after <debian-cd@lists.debian.org>?
Isn't the crucial line "Good signature from "Debian CD signing key"
(which the OP obtained also in his output)?
I'm reading the WARNING means GnuPG verified the key matches the
signature but cannot guarantee the key really belongs to the developer.
I'm uncertain about that extra '[unknown]' in the OP's ouput.
Maybe I'm just not seeing or understand the obvious here (all these letters and
numbers and keys and footprints and things).
> Do the downloaded files match these MD5s ?
>
> c9dde4f1020fc9caf650257a3bf3594f SHA512SUMS.sign
> 02f3c8b79d9e1baa528271f091450da8 SHA512SUMS
>
> Have a nice day :)
>
> Thomas
>
>
--
“True terror is to wake up one morning and discover that your high school class
is running the country.” – Kurt Vonnegut
Reply to: