Re: mismatch 9.0-live & 9.3

To: debian-user@lists.debian.org
Subject: Re: mismatch 9.0-live & 9.3
From: David Wright <deblis@lionunicorn.co.uk>
Date: Fri, 19 Jan 2018 08:57:38 -0600
Message-id: <[🔎] 20180119145738.GB7442@alum>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] slrnp63vj8.443.curty@einstein.electron.org>
References: <[🔎] 657e579015af2dce59f13f6e418ff94e@elude.in> <[🔎] 11718784637287369284@scdbackup.webframe.org> <[🔎] slrnp63vj8.443.curty@einstein.electron.org>

On Fri 19 Jan 2018 at 14:17:15 (+0000), Curt wrote:
> On 2018-01-19, Thomas Schmitt <scdbackup@gmx.net> wrote:
> > Hi,
> >
> > i just did this
> >
> >   wget https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS.sign
> >   wget https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS
> >   gpg --verify SHA512SUMS.sign SHA512SUMS
> >
> > The latter says
> >   gpg: Signature made Sun 18 Jun 2017 02:32:31 AM CEST using RSA key ID 6294BE9B
> >   gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
> >   gpg: WARNING: This key is not certified with a trusted signature!
> >   gpg:          There is no indication that the signature belongs to the owner.
> >   Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
> 
> What is the difference between your output and the OP's?
> 
> Just the "[unknown]" after <debian-cd@lists.debian.org>?
> 
> Isn't the crucial line "Good signature from "Debian CD signing key"
> (which the OP obtained also in his output)?
> 
> I'm reading the WARNING means GnuPG verified the key matches the
> signature but cannot guarantee the key really belongs to the developer.
> 
> I'm uncertain about that extra '[unknown]' in the OP's ouput.
> 
> Maybe I'm just not seeing or understand the obvious here (all these letters and
> numbers and keys and footprints and things).

Back in 2015 I made a HOWTO for fetching the installer. The pasted
output there had the [unknown] in it. I've no idea what it means.

--✂--------

And to validate the signature:

gpg (or gpg2) --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sun 07 Jun 2015 17:31:48 CDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

where the fingerprint should be seen on https://www.debian.org/CD/verify

--✂--------

Cheers,
David.

Reply to:

References:
- mismatch 9.0-live & 9.3
  - From: nalyzur@airmail.nz
- Re: mismatch 9.0-live & 9.3
  - From: "Thomas Schmitt" <scdbackup@gmx.net>
- Re: mismatch 9.0-live & 9.3
  - From: Curt <curty@free.fr>

Prev by Date: Re: mismatch 9.0-live & 9.3
Next by Date: Re: mismatch 9.0-live & 9.3
Previous by thread: Re: mismatch 9.0-live & 9.3
Next by thread: Mouse stops working randomly when docked
Index(es):
- Date
- Thread