Zhang Boyang
2022-05-19 04:40:01 UTC
Package: debian-cd
Hello,
I downloaded debian iso and its SHA512SUMS file. However, when I use gpg
to verify authenticity of SHA512SUMS, I found the signature file use
SHA256 as its digest algorithm. Although SHA256 is pretty safe, it's
seem strange that sign a SHA512SUMS with SHA256. I think it's better to
sign SHA512SUMS with SHA512.
Best Regards,
Zhang Boyang
$ LANG=C gpg -v --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sun Mar 27 05:22:41 2022 CST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: using pgp trust model
gpg: Good signature from "Debian CD signing key
<debian-***@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
Hello,
I downloaded debian iso and its SHA512SUMS file. However, when I use gpg
to verify authenticity of SHA512SUMS, I found the signature file use
SHA256 as its digest algorithm. Although SHA256 is pretty safe, it's
seem strange that sign a SHA512SUMS with SHA256. I think it's better to
sign SHA512SUMS with SHA512.
Best Regards,
Zhang Boyang
$ LANG=C gpg -v --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sun Mar 27 05:22:41 2022 CST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: using pgp trust model
gpg: Good signature from "Debian CD signing key
<debian-***@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096