1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • timestamp of the signature of Debian 12 netinst

    From Julian Schreck@21:1/5 to All on Fri Jun 23 17:00:01 2023
    Dear all,
    I was downloading the netimage of bookworm, the signing key(s) and sha sums when I noticed that my timestamp of the signature [0] differs from the one on the website. [1]
    Is this a security issue or just a website not updated?

    Kind regards
    Julian
    --
    [0] :
    $ LC_ALL=C gpg --verify-files SHA512SUMS.sign
    gpg: assuming signed data in 'SHA512SUMS'
    gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
    gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to Julian Schreck on Fri Jun 23 19:10:01 2023
    On 23 June 2023 15:53:08 BST, Julian Schreck <js-priv@online.de> wrote:
    Dear all,
    I was downloading the netimage of bookworm, the signing key(s) and sha sums when I noticed that my timestamp of the signature [0] differs from the one on the website. [1]
    Is this a security issue or just a website not updated?

    Kind regards
    Julian
    --
    [0] :
    $ LC_ALL=C gpg --verify-files SHA512SUMS.sign
    gpg: assuming signed data in 'SHA512SUMS'
    gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
    gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B >gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner. >Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]


    You're comparing the timestamp of a signature with the creation time of the key which generated it. They're different things.




    --
    Jonathan Wiltshire jmw@debian.org
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam D. Barratt@21:1/5 to Julian Schreck on Fri Jun 23 18:20:01 2023
    On Fri, 2023-06-23 at 16:53 +0200, Julian Schreck wrote:
    I was downloading the netimage of bookworm, the signing key(s) and
    sha sums when I noticed that my timestamp of the signature [0]
    differs from the one on the website. [1]
    Is this a security issue or just a website not updated?


    You appear to be comparing two entirely different things, and expecting
    them to match.

    -
    [0] :
    $ LC_ALL=C gpg --verify-files SHA512SUMS.sign
    gpg: assuming signed data in 'SHA512SUMS'
    gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
    gpg: using RSA key
    DF9B9C49EAA9298432589D76DA87E80D6294BE9B


    This is the date and time that the signature for the SHA512SUMS file
    was produced. Whereas this:

    [...]
    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]

    is the date when the key was created.

    It would be very surprising if they *did* match.

    Regards,

    Adam

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julian Schreck@21:1/5 to All on Fri Jun 23 21:00:01 2023
    Where to find the former? (Or do I not need it for checking the integrity of the download(s)?)
    --
    On Fri, 2023-06-23 at 16:53 +0200, Julian Schreck wrote:
    I was downloading the netimage of bookworm, the signing key(s) and
    sha sums when I noticed that my timestamp of the signature [0]
    differs from the one on the website. [1]
    Is this a security issue or just a website not updated?


    You appear to be comparing two entirely different things, and expecting
    them to match.

    -
    [0] :
    $ LC_ALL=C gpg --verify-files SHA512SUMS.sign
    gpg: assuming signed data in 'SHA512SUMS'
    gpg: Signature made Sat Jun 10 15:58:35 2023 CEST gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B


    This is the date and time that the signature for the SHA512SUMS file
    was produced. Whereas this:

    [...]
    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]

    is the date when the key was created.

    It would be very surprising if they *did* match.

    Regards,

    Adam

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to Julian Schreck on Fri Jun 23 22:20:02 2023
    On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:
    Where to find the former? (Or do I not need it for checking the
    integrity of the download(s)?)
    [...]
    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
    [...]

    Please restate your question more precisely if this doesn't answer
    it (because it's not clear what you meant by "find the former" since
    "the former" was material you quoted in your reply already), but if
    you follow that URL you'll see instructions for checking the
    integrity and provenance of downloads.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmSV+XlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCnC7Q/+ImvZbifzSKWeQMCkKaoEgqn1j1z/mjYcXxU6NXyFpO2Yxo3bVbisYFtO xYtjol2p/vdB62lav2CAv3JTNh3N6XdtRYwCNFQGMuICL6S0eTMFXGZrKbKTTc0q 6FqqRaDifMnPQbjqi/VoHrxyqPtfEaGlSj76lv0XSbeZzgurNyanefDXmNWNowgA AfLooQFFRsACo9g8FcY9w3xdZllBn74lh8Fb8RozLWv/KalMxi6aFW4QuZ69gg0L 77g93wRagJUZGsBXMxT1DY+nrUQiGMRxJw4Tm1iImj0EUs+JHkSbYmy/vlJnxS9+ auNC8D6AYmBIHVNyH4JgaIqzrI2nA5ZhkZR/a6wAnxpLELeV9o6o5w7y7TqvoRvX zGHuI26Pg+Cnj5YigKFhSrgrylAMhmrIqnDGW7yEt8dJK0VLvVnHxXOojjVaOWM/ BRaIHTN1/Ch4R7D8eqN6PI3MXEtbRDejqHMRxAsHXHSjCjiY62nIP7TUxdtf3NtL Mx/iIDMD8ltqEd0AkilomxUyZyd4sy8jw2BJU0tSToitxm0H+yUhxElQj8OmBn6t KYLfrFX3uMNMEplwrs//n2awLhVWCEkAS1kmteUds4Fpw7E9KkqRfXkxVQDhL9n7 Wp/t/Rxg0L0v2sEkz4/fZ0H2f7i3ZIfKdGaaKBB4i+4GQIzWDUI=
    =Sh26
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Julian Schreck@21:1/5 to All on Sat Jun 24 20:30:01 2023
    I meant: Where to find *the date and time that the signature for the SHA512SUMS file was produced* (on the website)?
    --
    On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:
    Where to find the former? (Or do I not need it for checking the
    integrity of the download(s)?)
    [...]
    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
    [...]

    Please restate your question more precisely if this doesn't answer
    it (because it's not clear what you meant by "find the former" since
    "the former" was material you quoted in your reply already), but if
    you follow that URL you'll see instructions for checking the
    integrity and provenance of downloads.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to Julian Schreck on Sat Jun 24 20:30:01 2023
    ------I18CYONQQXXM60R75UMOUB3EBYE7I4
    Content-Type: text/plain;
    charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    On 24 June 2023 19:20:57 BST, Julian Schreck <js-priv@online.de> wrote:
    I meant: Where to find *the date and time that the signature for the SHA512SUMS file was produced* (on the website)?
    --
    On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:
    Where to find the former? (Or do I not need it for checking the
    integrity of the download(s)?)
    [...]
    [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
    [...]

    Please restate your question more precisely if this doesn't answer
    it (because it's not clear what you meant by "find the former" since
    "the former" was material you quoted in your reply already), but if
    you follow that URL you'll see instructions for checking the
    integrity and provenance of downloads.


    You won't find it there, and it doesn't matter. You only need to verify that the signature is by the trusted key, which your output indicates that it was (although you have to rely on a CA trust path).

    --
    Jonathan Wiltshire jmw@debian.org
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ------I18CYONQQXXM60R75UMOUB3EBYE7I4
    Content-Type: text/html;
    charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    <html><head></head><body><div class="gmail_quote"><div dir="auto">On 24 June 2023 19:20:57 BST, Julian Schreck &lt;js-priv@online.de&gt; wrote:</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204,
    204); padding-left: 1ex;">
    <pre class="k9mail"><div dir="auto">I meant: Where to find *the date and time that the signature for the SHA512SUMS file was produced* (on the website)?<br>--<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px
    solid #729fcf; padding-left: 1ex;"><div dir="auto">On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1p