Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

timestamp of the signature of Debian 12 netinst

2 views
Skip to first unread message

Julian Schreck

unread,
Jun 23, 2023, 11:00:03 AM6/23/23
to
Dear all,
I was downloading the netimage of bookworm, the signing key(s) and sha sums when I noticed that my timestamp of the signature [0] differs from the one on the website. [1]
Is this a security issue or just a website not updated?

Kind regards
Julian
--
[0] :
$ LC_ALL=C gpg --verify-files SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debi...@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

[1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]

Adam D. Barratt

unread,
Jun 23, 2023, 12:20:03 PM6/23/23
to
On Fri, 2023-06-23 at 16:53 +0200, Julian Schreck wrote:
> I was downloading the netimage of bookworm, the signing key(s) and
> sha sums when I noticed that my timestamp of the signature [0]
> differs from the one on the website. [1]
> Is this a security issue or just a website not updated?
>

You appear to be comparing two entirely different things, and expecting
them to match.

> -
> [0] :
> $ LC_ALL=C gpg --verify-files SHA512SUMS.sign
> gpg: assuming signed data in 'SHA512SUMS'
> gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
> gpg: using RSA key
> DF9B9C49EAA9298432589D76DA87E80D6294BE9B
>

This is the date and time that the signature for the SHA512SUMS file
was produced. Whereas this:

[...]
> [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]

is the date when the key was created.

It would be very surprising if they *did* match.

Regards,

Adam

Jonathan Wiltshire

unread,
Jun 23, 2023, 1:10:03 PM6/23/23
to
You're comparing the timestamp of a signature with the creation time of the key which generated it. They're different things.




--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51

Julian Schreck

unread,
Jun 23, 2023, 3:00:03 PM6/23/23
to
Where to find the former? (Or do I not need it for checking the integrity of the download(s)?)
--

Jeremy Stanley

unread,
Jun 23, 2023, 4:20:04 PM6/23/23
to
On 2023-06-23 20:59:07 +0200 (+0200), Julian Schreck wrote:
> Where to find the former? (Or do I not need it for checking the
> integrity of the download(s)?)
[...]
> > > [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
[...]

Please restate your question more precisely if this doesn't answer
it (because it's not clear what you meant by "find the former" since
"the former" was material you quoted in your reply already), but if
you follow that URL you'll see instructions for checking the
integrity and provenance of downloads.
--
Jeremy Stanley
signature.asc

Julian Schreck

unread,
Jun 24, 2023, 2:30:03 PM6/24/23
to
I meant: Where to find *the date and time that the signature for the SHA512SUMS file was produced* (on the website)?
--

Jonathan Wiltshire

unread,
Jun 24, 2023, 2:30:04 PM6/24/23
to
You won't find it there, and it doesn't matter. You only need to verify that the signature is by the trusted key, which your output indicates that it was (although you have to rely on a CA trust path).
0 new messages