Hi, Curt wrote: > What is the difference between your output and the OP's?
naly...@airmail.nz reported with one of the checksum file pairs: > > $ gpg --verify SHA512SUMS.sign SHA512SUMS > > ... > > gpg: BAD signature from "Debian CD signing key > > <debian...@lists.debian.org>" [unknown] The good ones were MD5SUMS, SHA1SUMS, and SHA256SUMS. > Just the "[unknown]" after <debian...@lists.debian.org>? This seems to be a statement by younger gpg versions. I see this on my Sid VM. > Isn't the crucial line "Good signature from "Debian CD signing key" Yes. Plus the long Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B which should be in the list at https://www.debian.org/CD/verify If it says "Good" but with a fingerprint that is not in the list, then the suspicion of spoofing would be justified. (A while ago i read about a spoof which pretended to have a key signed by a list of GNU/Linux celebrities. The attacker managed to obtain own keys with the same short 32-bit fingerprints as the alleged signers.) In general i perceive PGP signing as hard to really fake but quite easy to spoof. Too many confusing details are given and too much doubt remains with really good signatures. But it's the best authentication we have for now. Steve McIntyre wrote: > Both bitmessage.de and airmail.nz are actually just > aliases for elude.in, and the message style of the two mails is very > similar. I'm fairly confident it's the same person. Spoofing is everywhere. > If so, it's rather annoying when you try to help somebody with a > problem *they're* having and they ignore you. Some users are not helpful to themselves. Some are just caught in their own view of the problem and do not accept any idea of a different explanation. > I'd like to understand how things are breaking here. If it's not PEBKAC, then maybe some transport problem. Thus my question about the MD5s of the checksum files. Have a nice day :) Thomas