I downloaded debian-12.1.0-amd64-DVD-1.iso, SHA512SUMS, and
SHA512SUMS.sign files from
https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/.
$ sha512sum -c SHA512SUMS gives me OK. So the image is fine.
However verifying the signatures fails.
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 10 Sep 2022 07:00:46 PM EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
I downloaded the required key:
$ wget -c "https://www.debian.org/CD/key-DA87E80D6294BE9B.txt"
and imported it:
$ gpg --import key-DA87E80D6294BE9B.txt
When repeated verification get this:
gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 22 Jul 2023 01:04:11 PM EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key
<debian-cd@lists.debian.org>" [unknown]
Can anybody explain it. I do not see what I'm doing wrong here.
Thanks.