Package: debian-installer-9-netboot-amd64 Version: 20170615+deb9u6 Followup-For: Bug #917491
Dear Maintainer, Some weeks ago, my Debian stretch netboot installer told me that I needed to update, so I proceeded to download the new files: http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/netboot.tar.gz http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS http://ftp.debian.org/debian/dists/stretch/Release http://ftp.debian.org/debian/dists/stretch/Release.gpg and run the normal sha256 checksums on the various files, per the Debian wiki: $cat SHA256SUMS | grep -F netboot/netboot.tar.gz c2d37c3652f993bc07039f68cc1876ef343a9bb30fca29ca5aa9de0e93a9c4fd ./netboot/netboot.tar.gz $sha256sum netboot.tar.gz c2d37c3652f993bc07039f68cc1876ef343a9bb30fca29ca5aa9de0e93a9c4fd netboot.tar.gz $sha256sum SHA256SUMS 083e4910e7af0f6e0b40809456ff373704bb7c27731f9edd73d9d93628267a6f SHA256SUMS $cat Release | grep -A 100000 '^SHA256' | grep -F installer-amd64/current/images/SHA256SUMS 083e4910e7af0f6e0b40809456ff373704bb7c27731f9edd73d9d93628267a6f 74077 main/installer-amd64/current/images/SHA256SUMS $gpg --verify Release.gpg Release gpg: Signature made Sat 27 Apr 2019 04:30:44 AM CDT gpg: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 gpg: Good signature from "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553 gpg: Signature made Sat 27 Apr 2019 04:30:44 AM CDT gpg: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 gpg: Good signature from "Debian Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010 gpg: Signature made Sat 27 Apr 2019 04:33:33 AM CDT gpg: using RSA key 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500 gpg: Good signature from "Debian Stable Release Key (9/stretch) <debian-rele...@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500 I noticed that the Release file had been signed with A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 which matches the signature for "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org>" not for "Debian Stable Release Key (9/stretch) <debian-rele...@lists.debian.org>" as I would expect for the Stretch release (stretch key for stretch release, yes?). A search brought me to this bug, which sounds a lot like what I've seen. If this is a "should be reported elsewhere", I would be happy to do so. Thanks for all your work on making the installer setups go! -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/24 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) debian-installer-9-netboot-amd64 depends on no packages. debian-installer-9-netboot-amd64 recommends no packages. Versions of packages debian-installer-9-netboot-amd64 suggests: pn tftpd-hpa <none>