After several attempts it is suspected that the SHA512SUMS and SHA512SUMS.sign files have been corrupted by the copy and paste process, so these files are downloaded directly from the browser by right-clicking the download links on the web page https://www.debian.org/download and selecting the "Save link as" command.
Third authenticity check attempt: PS C:\Users\CP\Documents\Linux\Debian12.10.0\VersioneHTTP> gpg --verify SHA512SUMS.sign SHA512SUMS.txt gpg: Firma effettuata 03/15/25 21:33:08 ora solare Europa occidentale gpg: utilizzando la chiave RSA DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Firma valida da "Debian CD signing key <debian...@lists.debian.org>" [sconosciuto] gpg: ATTENZIONE: questa chiave non è certificata con una firma fidata! gpg: Non ci sono indicazioni che la firma appartenga al proprietario. Impronta digitale della chiave primaria: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Authenticity check succeeded but the result is the following: Valid signature from "Debian CD signing key <debian...@lists.debian.org>" [unknown] WARNING: this key is not certified with a trusted signature! There is no indication that the signature belongs to the owner. Conclusion: I am really very perplexed by the outcome of this authenticity check of the file debian-12.10.0-amd64-netinst.iso: all these commands and attempts to arrive at what? To the sentence "WARNING: this key is not certified with a trusted signature!There is no indication that the signature belongs to the owner."???? What does all this mean? That there is no way to have a certification of the authenticity of the file debian-12.10.0-amd64-netinst.iso? Or is there still something to clarify regarding the selection of the key? Thanks! PA ________________________________ Da: Thomas Schmitt Inviato: Venerdì, 28 Marzo, 2025 18:04 A: debian-user@lists.debian.org Cc: pierantonio.corrad...@gmail.com Oggetto: Re: Help: debian-12.10.0-amd64-netinst.iso autenticity test Hi, i realize that i posted the content of the wrong SHA512SUMS file. The one i posted was from debian 12.7.0. Nevertheless the SHA512 sums which i posted earlier are of the files from 12.10.0 which i downloaded yesterday. Pier Antonio Corradini wrote: > The content of these links, seen now, is the following: > cb089def0684fd93c9c2fbe45fd16ecc809c949a6fd0c91ee199faefe7d4b82b64658a264a13109d59f1a40ac3080be2f7bd3d8bf3e9cdf509add6d72576a79b > debian-12.10.0-amd64-netinst.iso > 71d4c4e2ea7b617362875a74eb007308ae577ebe4b02ffeb626f1d12eaf412567d1d1816dbdbbb84cfaa38a205c13abf317ec227e5b2df9c982979698909889c > debian-edu-12.10.0-amd64-netinst.iso > 269e64d2a379429905cf95191036cc53fdc148c624af68386d3a238f5fe2c5b03e3732706eaac175303b1fe327f691dc50faf8d65665781d6bcbbabf072559fa > debian-mac-12.10.0-amd64-netinst.iso These checksums match what i see in my downloaded SHA512SUMS file of debian-12.10.0 netinst. (Not the one from 12.7.0.) So if the check run from your initial mail indicates a matching SHA512 checksum of the .iso file in the SHA512SUMS file and if you believe my word, then your ISO image is good. The trust in my word could be replaced by unaltered files SHA512SUM and SHA512SUM.sign and a successful gpg --verify run. But i cannot give advice how to achieve this in a MS-Windows environment. Have a nice day :) Thomas
