On 16/11/2022 13:55, Thomas George wrote:
I am giving up and will proceed with the netinst. Thanks everyone for
the many helpful comments and recommendations.
I stripped the spaces from the fingerprint and equated it RSA key. They
matched. So every thing is correct until the last step
Dragonette:/home/tom/Downloads/debian# gpg2 --verify SHA512SUMS.sign.txt
debian-11.5.0-amd64-netinst.iso
gpg: Signature made Sat 10 Sep 2022 07:00:08 PM EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key
<debian...@lists.debian.org>" [unknown]
That will never work: you're attempting to verify that the ISO file is
signed with the signature in SHA512SUMS.sign.txt. It will never match.
There is no signature for the ISO file. Instead, it's sha512sum is
listed in SHA512SUMS, and that file is signed.
First, verify that the hash matches:
$ sha512sum -c SHA512SUMS
And then verify that the hash file is properly signed:
$ gpg2 --verify SHA512SUMS.sign SHA512SUMS
Actually, the order does not matter.
--
When in doubt, mumble; when in trouble, delegate; when in charge, ponder.
-- James H. Boren
Eduardo M KALINOWSKI
edua...@kalinowski.com.br
