[Solved] ISO verification - no trusted keys - expired keys

icavot · 2018-11-02 19:42:24

Hi. I'm trying to verify a Devuan ascii live ISO.

·When I run: 'gpg --import devuan-devs.gpg' I get this message:

gpg: Total number processed: 7
gpg: imported: 7
gpg: no ultimately trusted keys found

· When I run: 'gpg --verify SHA256SUMS.asc' I get this message:

gpg: Good signature from "fsmithred (aka fsr)" [expired]
gpg: Note: This key has expired!

Is this OK?

Last edited by icavot (2018-11-04 22:31:54)

clint.barton · 2018-11-03 01:23:22

icavot wrote:

Is this OK?

I think it's no OK. Where did you download devuan-devs.gpg file? I've downloaded it from Leaseweb mirror.. This is the output when import the key:

And when I check the SHA256SUMS.asc file I get this:

Regards.

icavot · 2018-11-03 13:20:15

clint.barton wrote:

Where did you download devuan-devs.gpg file?

I downloaded the files from the fau.de mirror: https://ftp.fau.de/devuan-cd/devuan_ascii/
I want to use the desktop live ISO. https://ftp.fau.de/devuan-cd/devuan_ascii/desktop-live/

fsmithred · 2018-11-03 22:24:28

Yeah, my key expired. I wasn't paying attention. I'm not at home right now, so I can't fix it. Post the sha256sum of the file you downloaded, and someone here can verify it.

Make sure you say exactly which iso you have.

icavot · 2018-11-04 07:56:25

fsmithred wrote:

Yeah, my key expired. I wasn't paying attention. I'm not at home right now, so I can't fix it. Post the sha256sum of the file you downloaded, and someone here can verify it.
Make sure you say exactly which iso you have.

This is the SHA256SUM that it's suposed to have:
76584ce7183993306af8b00edc8ffce3a1dc69b10f0a97e0a6302d49b0a63858 devuan_ascii_2.0.0_amd64_desktop-live.iso
Source: https://ftp.fau.de/devuan-cd/devuan_asc … SHA256SUMS

And this is the SHA256SUM of the ISO that I got with the program gtkhash:
76584ce7183993306af8b00edc8ffce3a1dc69b10f0a97e0a6302d49b0a63858
I got the ISO from this folder: https://ftp.fau.de/devuan-cd/devuan_ascii/desktop-live/ (it's the amd64 desktop live ISO)

They coincide. In principle, that should be ok, right?

Also:

This is the source of the file SHA256SUMS.asc:
https://ftp.fau.de/devuan-cd/devuan_asc … 56SUMS.asc

This the the source of the devuan-devs.gpg file:
https://ftp.fau.de/devuan-cd/devuan_asc … n-devs.gpg

fsmithred · 2018-11-04 16:55:43

OK, sorry for the trouble. Here's what happened - I extended the expiration date back on Sept. 9, but I wasn't able to send the key to a keyserver due to network problems. I even used that key a couple weeks ago and didn't notice a problem, because the key is not expired on my system.

Key was uploaded to pgp.mit.edu a few minutes ago, and it show up on their website. It may take a little time to propagate to other keyservers. Meanwhile, here's the sha256sums directly from the file I uploaded to files.devuan.org back when the isos got uploaded. (May?) It matches what's on the download site.

76584ce7183993306af8b00edc8ffce3a1dc69b10f0a97e0a6302d49b0a63858  devuan_ascii_2.0.0_amd64_desktop-live.iso
8f535c235897303a5d55266858ffe9fe6c4d3e830f609c77c406f6e4aed0befa  devuan_ascii_2.0.0_i386_desktop-live.iso

icavot · 2018-11-04 22:31:24

OK. Thanks a lot.

The officially official Devuan Forum!

#1 2018-11-02 19:42:24

[Solved] ISO verification - no trusted keys - expired keys

#2 2018-11-03 01:23:22

Re: [Solved] ISO verification - no trusted keys - expired keys

#3 2018-11-03 13:20:15

Re: [Solved] ISO verification - no trusted keys - expired keys

#4 2018-11-03 22:24:28

Re: [Solved] ISO verification - no trusted keys - expired keys

#5 2018-11-04 07:56:25

Re: [Solved] ISO verification - no trusted keys - expired keys

#6 2018-11-04 16:55:43

Re: [Solved] ISO verification - no trusted keys - expired keys

#7 2018-11-04 22:31:24

Re: [Solved] ISO verification - no trusted keys - expired keys

Board footer