Dear all,
I was downloading the netimage of bookworm, the signing key(s) and sha sums when I noticed that my timestamp of the signature [0] differs from the one on the website. [1]
Is this a security issue or just a website not updated?
Kind regards
Julian
--
[0] :
$ LC_ALL=C gpg --verify-files SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B >gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. >Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
[1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
I was downloading the netimage of bookworm, the signing key(s) and
sha sums when I noticed that my timestamp of the signature [0]
differs from the one on the website. [1]
Is this a security issue or just a website not updated?
-
[0] :
$ LC_ALL=C gpg --verify-files SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
gpg: using RSA key
DF9B9C49EAA9298432589D76DA87E80D6294BE9B
[1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
On Fri, 2023-06-23 at 16:53 +0200, Julian Schreck wrote:
I was downloading the netimage of bookworm, the signing key(s) and
sha sums when I noticed that my timestamp of the signature [0]
differs from the one on the website. [1]
Is this a security issue or just a website not updated?
You appear to be comparing two entirely different things, and expecting
them to match.
-
[0] :
$ LC_ALL=C gpg --verify-files SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sat Jun 10 15:58:35 2023 CEST gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
This is the date and time that the signature for the SHA512SUMS file
was produced. Whereas this:
[...]
[1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
is the date when the key was created.
It would be very surprising if they *did* match.
Regards,
Adam
Where to find the former? (Or do I not need it for checking the[...]
integrity of the download(s)?)
[...][1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:
Where to find the former? (Or do I not need it for checking the[...]
integrity of the download(s)?)
[...][1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
Please restate your question more precisely if this doesn't answer
it (because it's not clear what you meant by "find the former" since
"the former" was material you quoted in your reply already), but if
you follow that URL you'll see instructions for checking the
integrity and provenance of downloads.
I meant: Where to find *the date and time that the signature for the SHA512SUMS file was produced* (on the website)?
--
On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:
Where to find the former? (Or do I not need it for checking the[...]
integrity of the download(s)?)
[...][1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
Please restate your question more precisely if this doesn't answer
it (because it's not clear what you meant by "find the former" since
"the former" was material you quoted in your reply already), but if
you follow that URL you'll see instructions for checking the
integrity and provenance of downloads.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 07:44:43 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,185 |