[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: timestamp of the signature of Debian 12 netinst

On 23 June 2023 15:53:08 BST, Julian Schreck <js-priv@online.de> wrote:
>Dear all,
>I was downloading the netimage of bookworm, the signing key(s) and sha sums when I noticed that my timestamp of the signature [0] differs from the one on the website. [1]
>Is this a security issue or just a website not updated?
>
>Kind regards
>Julian
>--
>[0] :
>$ LC_ALL=C gpg --verify-files SHA512SUMS.sign
>gpg: assuming signed data in 'SHA512SUMS'
>gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
>gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
>gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
>gpg: WARNING: This key is not certified with a trusted signature!
>gpg:          There is no indication that the signature belongs to the owner.
>Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
>
>[1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
>

You're comparing the timestamp of a signature with the creation time of the key which generated it. They're different things.




-- 
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Reply to: