R: Help: debian-12.10.0-amd64-netinst.iso autenticity test (supplementary attachment)

[Pier Antonio Corradini]

PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP> Get-FileHash -Path 
"C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP\SHA512SUMS.txt" 
-Algorithm SHA512

Algorithm       Hash                                                            
       Path
---------       ----                                                            
       ----
SHA512          
3D0BA303805111F651A88D96FC64867FFC678E43F3756F5F91B24A810D91015E459... 
C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP\SHA512SUMS.txt

PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP> Get-FileHash -Path 
"C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP\SHA512SUMS.sign" 
-Algorithm SHA512

Algorithm       Hash                                                            
       Path
---------       ----                                                            
       ----
SHA512          
58B5434926A9E5F7BA27FA32CD19B4379658945646549D6ACD3EC9A9368FFFACDAC... 
C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP\SHA512SUMS.sign


________________________________
Da: Thomas Schmitt
Inviato: Venerdì, 28 Marzo, 2025 08:50
A: debian-user@lists.debian.org
Cc: pierantonio.corrad...@gmail.com
Oggetto: Re: Help: debian-12.10.0-amd64-netinst.iso autenticity test

Hi,

(Please Cc: debian-user@lists.debian.org with your replies.
I sent my mail with Cc; to you, because the X-Spam-Status: header of
your list mail did not indicate that you are subscribed to the list.)


Pier Antonio Corradini wrote:
> So... first step:
> PS C:\Users\CP> gpg --keyserver hkps://keyring.debian.org --recv-keys
> DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> [...]
> Second step:
> PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP>
>     gpg --verify SHA512SUMS.sign SHA512SUMS.txt
> gpg: Firma effettuata 03/15/25 21:33:08 ora solare Europa occidentale
> gpg:                utilizzando la chiave RSA 
> DF9B9C49EAA9298432589D76DA87E80D6294BE9B

Did this second-step run succeed ?
It seems that the decisive message line is missing.
(Not that i would really understand the language in the messages.)


> third step:
> PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP> gpg --output
> debian-key.asc --export DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> Il file 'debian-key.asc' esiste. Sovrascrivere? (y/N) y
> to import it inside Kleopatra...and... bad signature inside Kleopatra!

Is Kleopatra
  https://www.openpgp.org/software/kleopatra/
?


> Inside console:
> PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP> gpg --verify
> SHA512SUMS.sign SHA512SUMS.txt
> gpg: Firma effettuata 03/15/25 21:33:08 ora solare Europa occidentale
> gpg:                utilizzando la chiave RSA
> DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> gpg: Firma BAD da "Debian CD signing key <debian...@lists.debian.org>"
> [sconosciuto]

If the result is different from the one of step 2:
What has changed since step 2 ?


> Where is the mistake?

I have to repeat my questions for checksums of the non-matching files
  SHA512SUMS.sign
  SHA512SUMS
(I could make use of MD5, SHA256, or SHA512.)

Reason for this request:
If gpg --verify reports mismatch, then either:
- at least one of the two files must show differences to those which i
  downloaded yesterday,
- or something is broken with you gpg --verify run.
Knowing whether the files SHA512SUMS.sign and SHA512SUMS are the same
as the copies on my computer would enable us to judge which of the
above reasons is present.


Have a nice day :)

Thomas