Hi, a few days ago I downloaded
http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-testing-amd64-DVD-1.iso Resolving hostname »gensho.acc.umu.se (gensho.acc.umu.se)«... 130.239.18.176, 2001:6b0:e:2018::176 from a secondary mirror located in Sweden. Before that I had installed a DNSSEC capable DNS resolver software as an extension in my browser and set its standard URL as standard DNS server in my router. I did not activate the option that denies connections if no DNSSEC record could be found/checked. I looked for the available keys for the different CD releases pointing my browser to the Debian website (DNSSec info says: OK) pub 4096R/64E6EA7D 2009-10-03 Primary key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D uid Debian CD signing key <[email protected]> pub 4096R/6294BE9B 2011-01-05 Primary key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key <[email protected]> sub 4096R/11CD9819 2011-01-05 pub 4096R/09EA8AC3 2014-04-15 Primary key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 uid Debian Testing CDs Automatic Signing Key <[email protected]> sub 4096R/6BD05CFB 2014-04-15 being the last one in the list the key I was looking for. #verifying the signature I downloaded from that very server LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID 09EA8AC3 gpg: BAD signature from "Debian Testing CDs Automatic Signing Key <[email protected]>" me@mymachine:/media/sdb1$ LC_ALL=C gpg2 --edit-key 09EA8AC3 gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 4096R/09EA8AC3 created: 2014-04-15 expires: never usage: SC trust: unknown validity: unknown sub 4096R/6BD05CFB created: 2014-04-15 expires: never usage: E [ unknown] (1). Debian Testing CDs Automatic Signing Key <[email protected]> gpg> fpr pub 4096R/09EA8AC3 2014-04-15 Debian Testing CDs Automatic Signing Key <[email protected]> Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 So, what does that information tell us? Would that information suffice to think that the iso file is/was compromised? Would that information suffice to think that the server is/was compromised? What would such information tell us exactly? I am trying to figure out what does and what it does not tell us in order to better understand the heuristic scope of gpg's output. Any help, hint or assessment is appreciated. Cheers, Stebe _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
