Heuristics of gpg's output
Ingo Klöcker
kloecker at kde.org
Sat Feb 13 19:55:02 CET 2016
On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote:
> Hi,
>
> a few days ago I downloaded
>
>
> http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-te
> sting-amd64-DVD-1.iso Resolving hostname »gensho.acc.umu.se
> (gensho.acc.umu.se)«... 130.239.18.176, 2001:6b0:e:2018::176
>
> from a secondary mirror located in Sweden.
>
[snip]
>
> #verifying the signature I downloaded from that very server
>
> LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso
> gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID
> 09EA8AC3
> gpg: BAD signature from "Debian Testing CDs Automatic
> Signing Key <debian-cd at lists.debian.org>"
>
[snip]
>
> So, what does that information tell us?
> Would that information suffice to think that the iso file is/was
> compromised?
It doesn't tell us anything because the signature does not belong to the
iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS
which contains the SHA256 hashes for the iso files.
In order to check the ISO file you have to verify the signature of the
SHA256SUMS file, i.e.
# gpg2 --verify SHA256SUMS.sign SHA256SUMS
and then check the SHA256 hash of the iso file against the hash in the
SHA256SUMS file, e.g. with
# sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-
DVD-1.iso SHA256SUMS
See also section "How can I verify my download is correct and exactly
what has been created by Debian?" on
http://ftp.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160213/5ee5ea5e/attachment.sig>
More information about the Gnupg-users
mailing list