Heuristics of gpg's output

Stephan Beck stebe at mailbox.org
Sun Feb 14 00:07:55 CET 2016

Ingo Klöcker:
> On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote:
>> Hi,
>> a few days ago I downloaded

> It doesn't tell us anything because the signature does not belong to the 
> iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS 
> which contains the SHA256 hashes for the iso files.
> In order to check the ISO file you have to verify the signature of the 
> SHA256SUMS file, i.e.
> # gpg2 --verify SHA256SUMS.sign SHA256SUMS
> and then check the SHA256 hash of the iso file against the hash in the 
> SHA256SUMS file, e.g. with
> # sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-
> DVD-1.iso SHA256SUMS

LC_ALL=C gpg2 --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Mon Feb  8 08:31:22 2016 CET using RSA key ID 09EA8AC3
gpg: Good signature from "Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
me at mymachine:/path/to/iso$ LC_ALL=C sha256sum
debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-DVD-1.iso

Everything ok!

Thanks again


More information about the Gnupg-users mailing list