Good {evening,morning,afternoon}, fellow anglophones.
I am running Wheezy, and I plan to prepare a debian live cd using this
file:
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-7.6.0-amd64-standard.iso
Before doing this, however, I would like to verify the authenticity of
the SHA512SUMS file which I believe I obtained from here:
http://live.debian.net/cdimage/release/stable/amd64/iso-hybrid/SHA512SUMS
And so, to that end, I downloaded...
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign
But I am stuck now, because I cannot find the corresponding public
key, and don't know where to start looking for it.
What I have done so far:
I installed the debian-keyring package, and then I ran this:
| $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign
| gpgv: armor: BEGIN PGP SIGNATURE
| gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
| :signature packet: algo 1, keyid DA87E80D6294BE9B
| version 4, created 1406210061, md5len 0, sigclass 0x00
| digest algo 8, begin of digest fc 43
| hashed subpkt 2 len 4 (sig created 2014-07-24)
| subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B)
| data: [4096 bits]
| gpgv: assuming signed data in `SHA512SUMS'
| gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B
| gpgv: Can't check signature: public key not found
This was not the outcome I was hoping for, but I am not sure what to
do next.
As mentioned above, I have installed the debian-keyring package, as
advised here:
http://www.debian.org/./CD/verify
| To ensure that the checksums files themselves are correct, use GnuPG
| to verify them against the accompanying signature files
| (e.g. MD5SSUMS.sign). The keys used for these signatures are all in
| the Debian GPG keyring <http://keyring.debian.org/> [...]
But that last part does not appear to be correct. gpgv told me it
could not find the public key that will verify the sig for the
SHA512SUMS file. The reason seems to be that
/usr/share/keyrings/debian-keyring.gpg does not contain the public key
in question.
| [...] and the best way to check them is to use that keyring to
| validate via the web of trust.
I don't have the slightest idea what that last bit is supposed to
mean, but I imagine it might not be important for my present goal.
The following, from the same page, looks relevant:
| To make life easier for users, here are the fingerprints for the
| keys that have been used for releases in recent years (with some
| UIDs removed for clarity):
[snipped some key ids/fingerprints]
pub 4096R/6294BE9B 2011-01-05
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
uid Debian CD signing key <debian...@lists.debian.org>
sub 4096R/11CD9819 2011-01-05
[snipped some more key ids/fingerprints]
As far as I can tell, this is encouraging, but not conclusive. To
authenticate the signature on the file in question, I believe I need
the corresponding public key itself.
So, where can I obtain the public key one uses to verify the signature
on the SHA512SUMS file for the debian live iso in question? Is there
a way to use the information above to retrieve it?
I assume that this should not be a difficult task, but I am finding it
rather difficult. If someone could help me figure out how to do this,
I would be grateful.
Also, thank you for reading this far.
-wes
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/alpine.deb.2.02.1408102153430.22...@brutus.ling.ohio-state.edu
