|
After several attempts it is suspected that the SHA512SUMS and SHA512SUMS.sign files have been corrupted by the copy and paste process, so these files are downloaded directly from the browser by right-clicking the download links on the web page https://www.debian.org/download
and selecting the "Save link as" command.
Third authenticity check attempt:
PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP> gpg --verify SHA512SUMS.sign SHA512SUMS.txt
gpg: Firma effettuata 03/15/25 21:33:08 ora solare Europa occidentale
gpg: utilizzando la chiave RSA DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Firma valida da "Debian CD signing key <debian-cd@lists.debian.org>" [sconosciuto]
gpg: ATTENZIONE: questa chiave non è certificata con una firma fidata!
gpg: Non ci sono indicazioni che la firma appartenga al proprietario.
Impronta digitale della chiave primaria: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
Authenticity check succeeded but the result is the following:
Valid signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
WARNING: this key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.
Conclusion: I am really very perplexed by the outcome of this authenticity check of the file debian-12.10.0-amd64-netinst.iso: all these commands and attempts to arrive at what? To the sentence "WARNING: this key is not certified with a trusted signature!There
is no indication that the signature belongs to the owner."???? What does all this mean? That there is no way to have a certification of the authenticity of the file debian-12.10.0-amd64-netinst.iso? Or is there still something to clarify regarding the selection
of the key?
Thanks!
PA
Da: Thomas Schmitt
Inviato: Venerdì, 28 Marzo, 2025 18:04 A: debian-user@lists.debian.org Cc: pierantonio.corradini@gmail.com Oggetto: Re: Help: debian-12.10.0-amd64-netinst.iso autenticity test Hi,
i realize that i posted the content of the wrong SHA512SUMS file. The one i posted was from debian 12.7.0. Nevertheless the SHA512 sums which i posted earlier are of the files from 12.10.0 which i downloaded yesterday. Pier Antonio Corradini wrote: > The content of these links, seen now, is the following: > cb089def0684fd93c9c2fbe45fd16ecc809c949a6fd0c91ee199faefe7d4b82b64658a264a13109d59f1a40ac3080be2f7bd3d8bf3e9cdf509add6d72576a79b debian-12.10.0-amd64-netinst.iso > 71d4c4e2ea7b617362875a74eb007308ae577ebe4b02ffeb626f1d12eaf412567d1d1816dbdbbb84cfaa38a205c13abf317ec227e5b2df9c982979698909889c debian-edu-12.10.0-amd64-netinst.iso > 269e64d2a379429905cf95191036cc53fdc148c624af68386d3a238f5fe2c5b03e3732706eaac175303b1fe327f691dc50faf8d65665781d6bcbbabf072559fa debian-mac-12.10.0-amd64-netinst.iso These checksums match what i see in my downloaded SHA512SUMS file of debian-12.10.0 netinst. (Not the one from 12.7.0.) So if the check run from your initial mail indicates a matching SHA512 checksum of the .iso file in the SHA512SUMS file and if you believe my word, then your ISO image is good. The trust in my word could be replaced by unaltered files SHA512SUM and SHA512SUM.sign and a successful gpg --verify run. But i cannot give advice how to achieve this in a MS-Windows environment. Have a nice day :) Thomas |