debian-cd@lists.debian.org Wednesday January 17 2018
the official cd_dvd amd64 stable/stretch are not authentic/can't be authentified : BAD https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/ - HTTP https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ - TORRENT - LIVE DVD : idem you published the keys/iso without have checked before their validity/compatibility ? ALL THE KEYS ARE BAD (e.g.): gpg --verify sums512.sign sums512 gpg: Signature made Sun 10 Dec 2017 03:58:21 CET gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Can't check signature: No public key gpg --keyserver keyring.debian.org --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 Signature made Sun 10 Dec 2017 03:58:21 CET gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" [un ******************************** gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Sat 09 Dec 2017 09:58:24 PM EST GOOD SIGNATURE ******************************** it sounds that these errors compromise apt-transport-https_sks , trusted.gpg.d (missing keys) _ sources.list.save & maybe gpg but i am not certain of that. *keys have changed new Sun 10 Dec 2017_old Sat 09 Dec 2017. it is bizarre that before the linux security update the signature made Sat 09 Dec 2017 was good but today , it is bad. does not an updated-key remember its revoked-key one (same cd-key) ? should not it be written revoked instead of bad ? is something wrong in the keyring ? stolen-falsified keys/hacked site ? a segment-fault on a server ? fake debian.org site (i verified the cert(green) with the help of the calomel-addon & i did not notice something wrong.)? ______________________________________________________________________ 9.0. is not available (9.3 only ! ). could you put on line asap the debian 9.0.0. stretch stable or update 9.3.0. with the right keys ? _______________________________________________________________________ *or my gtkhash/cli is broken and reporting this is a big error but in case of doubt i do it , sorry. thx. [To make life easier for users, here are the fingerprints for the keys that have been used for releases in recent years:] pub 4096R/64E6EA7D 2009-10-03 Key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D uid Debian CD signing key <debian-cd@lists.debian.org> pub 4096R/6294BE9B 2011-01-05 Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key <debian-cd@lists.debian.org> sub 4096R/11CD9819 2011-01-05 pub 4096R/09EA8AC3 2014-04-15 Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 uid Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org> sub 4096R/6BD05CFB 2014-04-15