Re: timestamp of the signature of Debian 12 netinst
Where to find the former? (Or do I not need it for checking the integrity of the download(s)?)
--
> On Fri, 2023-06-23 at 16:53 +0200, Julian Schreck wrote:
> > I was downloading the netimage of bookworm, the signing key(s) and
> > sha sums when I noticed that my timestamp of the signature [0]
> > differs from the one on the website. [1]
> > Is this a security issue or just a website not updated?
> >
>
> You appear to be comparing two entirely different things, and expecting
> them to match.
>
> > -
> > [0] :
> > $ LC_ALL=C gpg --verify-files SHA512SUMS.sign
> > gpg: assuming signed data in 'SHA512SUMS'
> > gpg: Signature made Sat Jun 10 15:58:35 2023 CEST
> > gpg: using RSA key
> > DF9B9C49EAA9298432589D76DA87E80D6294BE9B
> >
>
> This is the date and time that the signature for the SHA512SUMS file
> was produced. Whereas this:
>
> [...]
> > [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC]
>
> is the date when the key was created.
>
> It would be very surprising if they *did* match.
>
> Regards,
>
> Adam
Reply to: