Heuristics of gpg's output

stebe at mailbox.org stebe at mailbox.org
Sat Feb 13 18:20:09 CET 2016 

Hi,

a few days ago I downloaded


http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-testing-amd64-DVD-1.iso
Resolving hostname »gensho.acc.umu.se (gensho.acc.umu.se)«...
130.239.18.176, 2001:6b0:e:2018::176

from a secondary mirror located in Sweden.

Before that I had installed a DNSSEC capable DNS resolver software as an
extension in my browser and set its standard URL as standard DNS server in
my router. I did not activate the option that denies connections if no
DNSSEC record could be found/checked.

I looked for the available keys for the different CD releases pointing my
browser to the Debian website (DNSSec info says: OK)

pub   4096R/64E6EA7D 2009-10-03
  Primary key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6
EA7D
uid                  Debian CD signing key <debian-cd at lists.debian.org>

pub   4096R/6294BE9B 2011-01-05
  Primary key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294
BE9B
uid                  Debian CD signing key <debian-cd at lists.debian.org>
sub   4096R/11CD9819 2011-01-05

pub   4096R/09EA8AC3 2014-04-15
  Primary key fingerprint = F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA
8AC3
uid                  Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>
sub   4096R/6BD05CFB 2014-04-15

being the last one in the list the key I was looking for.

#verifying the signature I downloaded from that very server

LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso
gpg: Signature made Mon Feb  8 08:31:22 2016 CET using RSA key ID 09EA8AC3
gpg: BAD signature from "Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>"
me at mymachine:/media/sdb1$ LC_ALL=C gpg2 --edit-key 09EA8AC3
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/09EA8AC3  created: 2014-04-15  expires: never       usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/6BD05CFB  created: 2014-04-15  expires: never       usage: E   
[ unknown] (1). Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>

gpg> fpr
pub   4096R/09EA8AC3 2014-04-15 Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>
 Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA
8AC3

So, what does that information tell us? 
Would that information suffice to think that the iso file is/was
compromised?
Would that information suffice to think that the server is/was
compromised?


What would such information tell us exactly?

I am trying to figure out what does and what it does not tell us in order
to better understand the heuristic scope of gpg's output.


Any help, hint or assessment is appreciated.

Cheers,

Stebe

More information about the Gnupg-users mailing list