On Saturday 13 February 2016 18:20:09 [email protected] wrote: > Hi, > > a few days ago I downloaded > > > http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-te > sting-amd64-DVD-1.iso Resolving hostname »gensho.acc.umu.se > (gensho.acc.umu.se)«... 130.239.18.176, 2001:6b0:e:2018::176 > > from a secondary mirror located in Sweden. > [snip] > > #verifying the signature I downloaded from that very server > > LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso > gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID > 09EA8AC3 > gpg: BAD signature from "Debian Testing CDs Automatic > Signing Key <[email protected]>" > [snip] > > So, what does that information tell us? > Would that information suffice to think that the iso file is/was > compromised?
It doesn't tell us anything because the signature does not belong to the iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS which contains the SHA256 hashes for the iso files. In order to check the ISO file you have to verify the signature of the SHA256SUMS file, i.e. # gpg2 --verify SHA256SUMS.sign SHA256SUMS and then check the SHA256 hash of the iso file against the hash in the SHA256SUMS file, e.g. with # sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64- DVD-1.iso SHA256SUMS See also section "How can I verify my download is correct and exactly what has been created by Debian?" on http://ftp.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/ Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
