Hi, Franco Martelli wrote: > I was testing the procedure in a virtual machine, the first "gpg --keyserver > keyring.debian.org ..." command fails because I hadn't imported the public > keys.
Hm. I expected that --keyserver keyring.debian.org would avoid the need for importing keys to the local keyring. But the man page indeed does not promise this. I ran gpg --list-keys and really, the key DF9B9C49EAA9298432589D76DA87E80D6294BE9B is listed as being in $HOME/.gnupg/pubring.kbx Moving that file away causes failure to verify. Thanks for reviewing and testing. > Before you begin, if you haven't already done, you must import the Debian > public keys. You can download the keys from the authenticity verification > page: https://www.debian.org/CD/verify once done, then imports the keys with > the command: > > gpg --import key-988021A964E6EA7D.txt key-DA87E80D6294BE9B.txt > key-42468F4009EA8AC3.txt Probably i once followed my own example at https://www.gnu.org/software/xorriso/#download Replaying it with end pieces of the Debian keys: gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D 6294BE9B 09EA8AC3 fixes the verification for me. So i changed the wiki page to gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D 6294BE9B 09EA8AC3 gpg --with-fingerprint --verify SHA512SUMS.sign SHA512SUMS and will do with the debian-cd proposal. (Damn. I hit "Save Changes" instead of "Preview". I must slow down. Rush brings bad luck.) Actually i do not know how option --with-fingerprint came to me. On Debian 12, verification works the same with and without it. So it could be cargo cult. But most such cult has true roots in the past. The man page is fewly enlightening with that option. Does anybody know what benefit it is/was supposed to bring ? If it is obsolete, since when ? Have a nice day :) Thomas
