![[BunsenLabs Logo]](/img/bl.svg)
You are not logged in.
- Topics: Active | Unanswered
#1 2025-02-27 16:39:18
- Nisang
- New Member
- Registered: 2025-02-27
- Posts: 1
Authenticity check does not work
Hi there!
I downloaded (two days back)
boron-1-240123-amd64.hybrid.iso
boron-1-240123-amd64.hybrid.iso.sha256
boron-1-240123-amd64.hybrid.iso.asc (today)
did the integrity check
and the Authenticity check fails:
$ gpg --verify boron-1-240123-amd64.hybrid.iso.asc boron-1-240123-amd64.hybrid.iso
gpg: Signatur vom Mi 24 Jan 2024 06:01:47 CET
gpg: mittels RSA-Schlüssel E5449188755EC9485D3207BC7C38E34CAED6420C
gpg: Aussteller "bunsen-release@bunsenlabs.org"
gpg: Korrekte Signatur von "BunsenLabs Release Key <bunsen-release@bunsenlabs.org>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 0F54 A732 2439 0760 EB5D 9A04 6979 6250 0AFF 9B75
Unter-Fingerabdruck = E544 9188 755E C948 5D32 07BC 7C38 E34C AED6 420Cas I found in the forum here to use the .sha256 instead of the iso I also tried this:
$ gpg --verify boron-1-240123-amd64.hybrid.iso.asc boron-1-240123-amd64.hybrid.iso.sha256
gpg: Signatur vom Mi 24 Jan 2024 06:01:47 CET
gpg: mittels RSA-Schlüssel E5449188755EC9485D3207BC7C38E34CAED6420C
gpg: Aussteller "bunsen-release@bunsenlabs.org"
gpg: FALSCHE Signatur von "BunsenLabs Release Key <bunsen-release@bunsenlabs.org>" [unbekannt]without being successful.
I downloaded the iso again today
with the same result
does anyone have any idea what the reason is?
thanks for any answer in advance
Nisang
EDIT: Mod edit: Added code tags
Last edited by Nisang (2025-02-27 16:41:05)
Offline
#2 2025-02-27 17:20:19
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Re: Authenticity check does not work
The signature is correct ("Korrekte Signatur"), the warning is because gnupg considers it "unverified" — ie, it cannot confirm that the owner of the key is who they say they are but the key does match.
To get rid of the warning counter-sign the BunsenLabs key with your own. There is no reason to do that though beyond getting rid of the warning, it does not improve your security in any meaningful way.
EDIT: in future please prepend commands with LC_ALL=C to make them speak English. Thanks.
EDIT2: and please use code tags when posting terminal output, it makes it easier to read.
Last edited by Head_on_a_Stick (2025-02-27 17:23:39)
Offline