Re: mismatch 9.0-live & 9.3
On Fri 19 Jan 2018 at 14:17:15 (+0000), Curt wrote:
> On 2018-01-19, Thomas Schmitt <scdbackup@gmx.net> wrote:
> > Hi,
> >
> > i just did this
> >
> > wget https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS.sign
> > wget https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS
> > gpg --verify SHA512SUMS.sign SHA512SUMS
> >
> > The latter says
> > gpg: Signature made Sun 18 Jun 2017 02:32:31 AM CEST using RSA key ID 6294BE9B
> > gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the owner.
> > Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
>
> What is the difference between your output and the OP's?
>
> Just the "[unknown]" after <debian-cd@lists.debian.org>?
>
> Isn't the crucial line "Good signature from "Debian CD signing key"
> (which the OP obtained also in his output)?
>
> I'm reading the WARNING means GnuPG verified the key matches the
> signature but cannot guarantee the key really belongs to the developer.
>
> I'm uncertain about that extra '[unknown]' in the OP's ouput.
>
> Maybe I'm just not seeing or understand the obvious here (all these letters and
> numbers and keys and footprints and things).
Back in 2015 I made a HOWTO for fetching the installer. The pasted
output there had the [unknown] in it. I've no idea what it means.
--✂--------
And to validate the signature:
gpg (or gpg2) --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sun 07 Jun 2015 17:31:48 CDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
where the fingerprint should be seen on https://www.debian.org/CD/verify
--✂--------
Cheers,
David.
Reply to: