Heuristics of gpg's output
Stephan Beck
stebe at mailbox.org
Sun Feb 14 00:07:55 CET 2016
Ingo Klöcker:
> On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote:
>> Hi,
>>
>> a few days ago I downloaded
[snip]
> It doesn't tell us anything because the signature does not belong to the
> iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS
> which contains the SHA256 hashes for the iso files.
>
> In order to check the ISO file you have to verify the signature of the
> SHA256SUMS file, i.e.
>
> # gpg2 --verify SHA256SUMS.sign SHA256SUMS
>
> and then check the SHA256 hash of the iso file against the hash in the
> SHA256SUMS file, e.g. with
>
> # sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-
> DVD-1.iso SHA256SUMS
>
LC_ALL=C gpg2 --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID 09EA8AC3
gpg: Good signature from "Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
me at mymachine:/path/to/iso$ LC_ALL=C sha256sum
debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-DVD-1.iso
SHA256SUMS
08f3fd4e3ea3df7711c4f120bd3fbf9df0238a8cfe89f6bea40db51e27622bd8
debian-testing-amd64-DVD-1.iso
08f3fd4e3ea3df7711c4f120bd3fbf9df0238a8cfe89f6bea40db51e27622bd8
debian-testing-amd64-DVD-1.iso
Everything ok!
Thanks again
Stebe
More information about the Gnupg-users
mailing list