On Fri 19 Jan 2018 at 14:17:15 (+0000), Curt wrote: > On 2018-01-19, Thomas Schmitt <scdbac...@gmx.net> wrote: > > Hi, > > > > i just did this > > > > wget > > https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS.sign > > wget > > https://cdimage.debian.org/mirror/cdimage/archive/9.0.0-live/amd64/iso-hybrid/SHA512SUMS > > gpg --verify SHA512SUMS.sign SHA512SUMS > > > > The latter says > > gpg: Signature made Sun 18 Jun 2017 02:32:31 AM CEST using RSA key ID > > 6294BE9B > > gpg: Good signature from "Debian CD signing key > > <debian...@lists.debian.org>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 > > BE9B > > What is the difference between your output and the OP's? > > Just the "[unknown]" after <debian...@lists.debian.org>? > > Isn't the crucial line "Good signature from "Debian CD signing key" > (which the OP obtained also in his output)? > > I'm reading the WARNING means GnuPG verified the key matches the > signature but cannot guarantee the key really belongs to the developer. > > I'm uncertain about that extra '[unknown]' in the OP's ouput. > > Maybe I'm just not seeing or understand the obvious here (all these letters > and > numbers and keys and footprints and things).
Back in 2015 I made a HOWTO for fetching the installer. The pasted output there had the [unknown] in it. I've no idea what it means. --✂-------- And to validate the signature: gpg (or gpg2) --verify SHA512SUMS.sign gpg: assuming signed data in 'SHA512SUMS' gpg: Signature made Sun 07 Jun 2015 17:31:48 CDT using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B where the fingerprint should be seen on https://www.debian.org/CD/verify --✂-------- Cheers, David.
