I think I got it: the final step is to compare the fingerprint of the primary key, at the end of the command output
PS C:\Users\CP\Documents\Linux\Debian12.10.0\HTTPVersion> gpg --verify SHA512SUMS.sign SHA512SUMS.txt gpg: Signing done 03/15/25 21:33:08 Western European Standard Time gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Valid signature from "Debian CD signing key <debian...@lists.debian.org>" [unknown] gpg: WARNING: this key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B with the primary key fingerprint at the link: https://www.debian.org/CD/verify Fingerprint comparison: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B So now the authenticity check is complete and the authenticity is completely sure? Thanks! PA ________________________________ Da: Thomas Schmitt Inviato: Venerdì, 28 Marzo, 2025 18:04 A: debian-user@lists.debian.org Cc: pierantonio.corrad...@gmail.com Oggetto: Re: Help: debian-12.10.0-amd64-netinst.iso autenticity test Hi, i realize that i posted the content of the wrong SHA512SUMS file. The one i posted was from debian 12.7.0. Nevertheless the SHA512 sums which i posted earlier are of the files from 12.10.0 which i downloaded yesterday. Pier Antonio Corradini wrote: > The content of these links, seen now, is the following: > cb089def0684fd93c9c2fbe45fd16ecc809c949a6fd0c91ee199faefe7d4b82b64658a264a13109d59f1a40ac3080be2f7bd3d8bf3e9cdf509add6d72576a79b > debian-12.10.0-amd64-netinst.iso > 71d4c4e2ea7b617362875a74eb007308ae577ebe4b02ffeb626f1d12eaf412567d1d1816dbdbbb84cfaa38a205c13abf317ec227e5b2df9c982979698909889c > debian-edu-12.10.0-amd64-netinst.iso > 269e64d2a379429905cf95191036cc53fdc148c624af68386d3a238f5fe2c5b03e3732706eaac175303b1fe327f691dc50faf8d65665781d6bcbbabf072559fa > debian-mac-12.10.0-amd64-netinst.iso These checksums match what i see in my downloaded SHA512SUMS file of debian-12.10.0 netinst. (Not the one from 12.7.0.) So if the check run from your initial mail indicates a matching SHA512 checksum of the .iso file in the SHA512SUMS file and if you believe my word, then your ISO image is good. The trust in my word could be replaced by unaltered files SHA512SUM and SHA512SUM.sign and a successful gpg --verify run. But i cannot give advice how to achieve this in a MS-Windows environment. Have a nice day :) Thomas
