Hi, Thomas George wrote: > I thought to skip this step and tried > gpg --verify SHA515SUMS.sign.txt debian-11.5.0-amd64-netinst.iso
That's not the right way. SHA515SUMS.sign verifies SHA515SUMS SHA515SUMS verifies debian-11.5.0-amd64-netinst.iso The latter step can be done by this command in the directory where SHA515SUMS and debian-11.5.0-amd64-netinst.iso have been downloaded: sha512sum -c SHA515SUMS This is supposed to report: debian-11.5.0-amd64-netinst.iso: OK sha512sum: debian-edu-11.5.0-amd64-netinst.iso: No such file or directory debian-edu-11.5.0-amd64-netinst.iso: FAILED open or read sha512sum: debian-mac-11.5.0-amd64-netinst.iso: No such file or directory debian-mac-11.5.0-amd64-netinst.iso: FAILED open or read sha512sum: WARNING: 2 listed files could not be read The errors and warnings are emitted because only one of the listed ISOs was downloaded. Decisive is the line debian-11.5.0-amd64-netinst.iso: OK ---------------------------------------------------------------------- Having the necessary public keys i get from the first verification step gpg --verify SHA512SUMS.sign SHA512SUMS this report gpg: Signature made Sun 11 Sep 2022 01:00:08 AM CEST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Untested proposal: If none of the method given so far work for getting that public key, i would try the link in line pub rsa4096/DA87E80D6294BE9B 2011-01-05 [SC] of https://www.debian.org/CD/verify I.e. wget https://www.debian.org/CD/key-DA87E80D6294BE9B.txt and then gpg --import key-DA87E80D6294BE9B.txt (I will not try this gpg --import step here, out of superstition not to change things which already work. There are many web sites which show such examples. Like: https://linuxhint.com/export-import-keys-with-gpg/ ) Have a nice day :) Thomas