Hi everyone ! I just downloaded the latest openstack debian 9 image from a debian mirror using : https://cdimage.debian.org/cdimage/openstack/current-9/debian-9-openstack-amd64.qcow2
I also got the checksum and its signature : https://cdimage.debian.org/cdimage/openstack/current-9/SHA256SUMS https://cdimage.debian.org/cdimage/openstack/current-9/SHA256SUMS.sign checksum's signature is good: $ gpg --verify SHA256SUMS.sign gpg: assuming signed data in 'SHA256SUMS' gpg: Signature made dim. 29 mars 2020 16:40:45 CEST gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B but checksum fails : $ sha256sum -c SHA256SUMS --ignore-missing debian-9-openstack-amd64.qcow2: FAILED sha256sum: WARNING: 1 computed checksum did NOT match sha256sum: SHA256SUMS: no file was verified I've try to download a new copy (from the same mirror) but it still fails. The mirror I use is https://caesar.ftp.acc.umu.se/cdimage/openstack/current-9 I couldn't manage to find another mirror to check if this copy only was altered, or all of them. If anyone could verify that on its side and provide me a mirror that contain a valid image that would be awesome ! Thanks for your help !
