On 23 June 2023 15:53:08 BST, Julian Schreck <js-p...@online.de> wrote: >Dear all, >I was downloading the netimage of bookworm, the signing key(s) and sha sums >when I noticed that my timestamp of the signature [0] differs from the one on >the website. [1] >Is this a security issue or just a website not updated? > >Kind regards >Julian >-- >[0] : >$ LC_ALL=C gpg --verify-files SHA512SUMS.sign >gpg: assuming signed data in 'SHA512SUMS' >gpg: Signature made Sat Jun 10 15:58:35 2023 CEST >gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B >gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" >[unknown] >gpg: WARNING: This key is not certified with a trusted signature! >gpg: There is no indication that the signature belongs to the owner. >Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > >[1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC] >
You're comparing the timestamp of a signature with the creation time of the key which generated it. They're different things. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
