I am giving up and will proceed with the netinst. Thanks everyone for
the many helpful comments and recommendations.
I stripped the spaces from the fingerprint and equated it RSA key. They
matched. So every thing is correct until the last step
Dragonette:/home/tom/Downloads/debian# gpg2 --verify SHA512SUMS.sign.txt
debian-11.5.0-amd64-netinst.iso
gpg: Signature made Sat 10 Sep 2022 07:00:08 PM EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key
<debian...@lists.debian.org>" [unknown]
Note: I used SHA512SUMS.sign.txt and SHA512SUMS.txt in all the previous
successful verifications as that it is the way they were downloaded from
the Debian site.
Tom George
On 11/16/22 10:19, Thomas Schmitt wrote:
Hi,
i managed to produce a rare self-misattribution by copy+paste:
-------------------------------------------------------------------------
the program gpg writes about the Debian CD signing key DA87E80D6294BE9B :
WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner
I wrote:
This is a security usability problem. How is a non-expert to know that
this warning can be ignored, while others must be tended to?
Jeffrey Walton wrote:
This is a security usability problem. How is a non-expert to know that
this warning can be ignored, while others must be tended to?
-------------------------------------------------------------------------
My part should of course have been different from Jeffrey Walton's:
I wrote:
> > The warning is normal with the Debian keys and can be ignored.
Have a nice day :)
Thomas
