Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

Problems during iso verification - RSA key identical to primary key fingerprint?

Started by icehawk, May 13, 2017, 03:45:48 PM

Previous topic - Next topic

icehawk

Hello,

hope that this is the right section. I just downloaded 4.5.2 with LXQT desktop environment and started to verify it, like explained here: https://sparkylinux.org/wiki/doku.php/verify_iso

All the checksums match. I could also download and import the key without problems.

Then I enter this command:
gpg --keyid-format 0xlong --verify sparkylinux-4.5.2-i686-lxqt.iso.sig sparkylinux-4.5.2-i686-lxqt.iso

I get the following output:
gpg: Signature made Fr 16 Dez 2016 19:37:20 CET
gpg:                using RSA key 1F61A0A8478AE18EA3E77CF9C39D3F722C86EECA
gpg: Good signature from "Paweł Pijanowski (SparkyLinux ISO images key) <pavroo@onet.eu>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1F61 A0A8 478A E18E A3E7  7CF9 C39D 3F72 2C86 EECA

I know that the "WARNING: ... belongs to the owner" part is because I haven't signed the key yet.

What confuses me is that the RSA key here is 1F61A0A8478AE18EA3E77CF9C39D3F722C86EECA (according to the Sparky Wiki it should be 0xC39D3F722C86EECA).

However, the entry in the Sparky Wiki refers to version 4.3 - has the RSA key changed since version 4.3?
I also find it strange that the RSA key is actually identical to the primary key fingerprint.

I don't have much experience with GPG, so I hope someone can tell me if there could be something wrong with this image. Probably not, but I'd like to be sure. Thank you

pavroo

Nothing is easy as it looks. Danielle Steel
Join #sparkylinux.org at [url="//irc.libera.chat"]irc.libera.chat[/url]

View the most recent posts on the forum