> Ingo Klöcker <[email protected]> hat am 13. Februar 2016 um 19:55 > geschrieben: > > > On Saturday 13 February 2016 18:20:09 [email protected] wrote: > > Hi, > > > > a few days ago I downloaded > > > > > > http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-te > > sting-amd64-DVD-1.iso Resolving hostname »gensho.acc.umu.se > > (gensho.acc.umu.se)«... 130.239.18.176, 2001:6b0:e:2018::176 > > > > from a secondary mirror located in Sweden. > > > [snip] > > > > #verifying the signature I downloaded from that very server > > > > LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso > > gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID > > 09EA8AC3 > > gpg: BAD signature from "Debian Testing CDs Automatic > > Signing Key <[email protected]>" > > > [snip] > > > > So, what does that information tell us? > > Would that information suffice to think that the iso file is/was > > compromised? > > It doesn't tell us anything because the signature does not belong to the > > iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS > which contains the SHA256 hashes for the iso files. > [snip]
Thanks, Ingo, for clarifying this. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
