On Sun, Aug 10, 2014 at 10:34:21PM -0400, david...@ling.ohio-state.edu wrote: > | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- > SHA512SUMS.sign > | gpgv: armor: BEGIN PGP SIGNATURE > | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) > | :signature packet: algo 1, keyid DA87E80D6294BE9B > | version 4, created 1406210061, md5len 0, sigclass 0x00 > | digest algo 8, begin of digest fc 43 > | hashed subpkt 2 len 4 (sig created 2014-07-24) > | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) > | data: [4096 bits] > | gpgv: assuming signed data in `SHA512SUMS' > | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID > 6294BE9B > | gpgv: Can't check signature: public key not found > > This was not the outcome I was hoping for, but I am not sure what to > do next.
Hello Wes, It seems the key ID 6294BE9B is found in /usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that. I was thinking of writing a three line paragraph to make the wiki [2] more clear on the matter (i.e. provide the gpgv command with the specific file to pass to --keyring), but after reading this: Official role keys have gradually replaced the use of personal keys belonging to developers. However, a decision was made not to go back and re-sign all the old releases that were already signed using the older keys. I am unsure on whether Jessie and future releases will have their .iso signed by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed light on the matter? [1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg [2] http://www.debian.org/CD/verify
signature.asc
Description: Digital signature