Heuristics of gpg's output
stebe at mailbox.org
stebe at mailbox.org
Sat Feb 13 23:22:48 CET 2016
> Ingo Klöcker <kloecker at kde.org> hat am 13. Februar 2016 um 19:55
> geschrieben:
>
>
> On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote:
> > Hi,
> >
> > a few days ago I downloaded
> >
> >
> > http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-te
> > sting-amd64-DVD-1.iso Resolving hostname »gensho.acc.umu.se
> > (gensho.acc.umu.se)«... 130.239.18.176, 2001:6b0:e:2018::176
> >
> > from a secondary mirror located in Sweden.
> >
> [snip]
> >
> > #verifying the signature I downloaded from that very server
> >
> > LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso
> > gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID
> > 09EA8AC3
> > gpg: BAD signature from "Debian Testing CDs Automatic
> > Signing Key <debian-cd at lists.debian.org>"
> >
> [snip]
> >
> > So, what does that information tell us?
> > Would that information suffice to think that the iso file is/was
> > compromised?
>
> It doesn't tell us anything because the signature does not belong to the
>
> iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS
> which contains the SHA256 hashes for the iso files.
>
[snip]
Thanks, Ingo, for clarifying this.
More information about the Gnupg-users
mailing list