Preparing a new gentoo installation, I decided to go by the book So: downloaded the current installation cd .iso file (time stamp 03-Dec-2009 13:29 on http://mirrors.kernel.org/gentoo/releases/amd64/autobuilds/current-iso/) downloaded the DIGESTS (time stamp 03-Dec-2009 13:29) downloaded the ASC (time stamp 04-Dec-2009 06:35) Ditto for the stage3 - MD5 digest works fine - gpg verification does not work Following the installation manual: >gpg --keyserver subkeys.pgp.net --recv-keys 17072058 gpg: requesting key 17072058 from hkp server subkeys.pgp.net gpg: key 17072058: "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 >gpg --verify install-amd64-minimal-20091203.iso.DIGESTS.asc install-amd64-minimal-20091203.iso gpg: not a detached signature This .ASC file contains the digests as well as a PGP - see below. Deleting the digests and only keeping the PGP signature part gives: >gpg --verify install-amd64-minimal-20091203.iso.asc install-amd64-minimal-20091203.iso gpg: can't handle text lines longer than 19995 characters gpg: Signature made Fri Dec 4 07:35:41 2009 CET using RSA key ID 2D182910 gpg: Can't check signature: No public key The stage3 file gives similar errors. Seeing that the RSA key ID is 2D182910, I tried gpg --keyserver subkeys.pgp.net --recv-keys 2D182910 and then tried gpg --verify again Now I get gpg: can't handle text lines longer than 19995 characters gpg: Signature made Fri Dec 4 07:35:42 2009 CET using RSA key ID 2D182910 gpg: BAD signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" Reproducible: Always Steps to Reproduce: 1.get december 3 install media 2.get handbook 3.follow handbook Expected Results: Go by the book AND have pgp tell me that everything is fine. Content of the DIGEST.ASC file: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 # MD5 HASH 6e0d14dc41fa00404abcad95c93b5af4 install-amd64-minimal-20091203.iso # SHA1 HASH 027854f5d212a47f1137d67da74b7dbdbc625dde install-amd64-minimal-20091203.iso # MD5 HASH c79c389f375d4abeed0e7967ea88486d install-amd64-minimal-20091203.iso.CONTENTS # SHA1 HASH d74f3c189fbdc02e4d49d6c9262e822b8c4ea51b install-amd64-minimal-20091203.iso.CONTENTS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBSxitvbtXLg4tGCkQAQLEng//W1UHqwSUP58Gvv5kIxHxtW/P2vWahCLd hR1wMGmpdVExgHe002qs4Li/ib8nUaHaP4N0BfESPHKPGG/FRbiurZNlHp0KsCAJ lzR3/rdSP4GovAOtTCVlefgrZOcCQup4FvgoR/e1JCLT23/13A1ALzZdOlkS8t+o s2/QPRM7QOK2Wf5Cm/4X5QKoMWfsiSAfosMYkGvj6o+B4KiGPFApLf+6Cp6TcekI ox/A9IwRd657GRWkciQQ0joslcAPdrVzreoFTj7e/f5OXLWKBWBIE+FK9Mg6mn8W zLB4i+gLjMWUVAFknfQlr18tSF5/hAQG2iKJCnjkaaToDFunUEbTVNr/5PuU4gHy wkm+/51NelLMgOYY5J2J8Iui4FqSVTTyWPGLwYqM539cPAFcWvBsdNouZKvhi1mG RFkNviDONRjd4iKJ8JVT+7JkrleNLzNwffndwDmE76CK/svG+kkYJSLpoIl7jrcA HI2r/b9qoR7yxXfa9/WdGgu7fjb1ux9yjdjbpKGl56dE+wcK4qoytvoQkX/cFHhC gIw4+hecOJBzea7P2tB2obhpHpV8y7jHZv+ZGbYqN2pd+Usl0kTkx+YGq0q1wVvX Pvm9R93e46XaFrLo3hIlQDxpGxaCX8sAHn6O2GjubDZN+wBi50Rps5E5rm05/fuE 0aK/ffwIasE= =0Apo -----END PGP SIGNATURE-----
Not a documentation problem. Possibly you just downloaded a bad image (or an improperly hashed image), or your 'net connection corrupted it. Try a newer stage. Reassigning to the folks who can do something about the media; it's not a handbook issue.
The verification procedure is described at <http://www.gentoo.org/proj/en/releng/index.xml#doc_chap5>. The handbook describes the installation of media "located in the releases/$arch/autobuilds/current-iso/ directory". Then the listed gpg key is wrong (see the table at link above for which key is used for each release).
(In reply to comment #1) > Not a documentation problem. Possibly you just downloaded a bad image (or an > improperly hashed image), or your 'net connection corrupted it. Try a newer > stage. > > Reassigning to the folks who can do something about the media; it's not a > handbook issue. > Well. The handbook assumes the verification is correct. Maybe there should be an indication "when verification goes wrong"?
> > The handbook describes the installation of media "located in the > releases/$arch/autobuilds/current-iso/ directory". Then the listed gpg key is > wrong (see the table at link above for which key is used for each release). > Proposed changes to the handbook: starting from: Code Listing 3.1: Obtaining the public key $ gpg --keyserver subkeys.pgp.net --recv-keys 17072058 add to doc: > The public key changes from time to time. Please verify > <http://www.gentoo.org/proj/en/releng/index.xml#doc_chap5> > for the latest key. > Now verify the signature and the checksum: > Code Listing 3.2: Verify the cryptographic signature > $ gpg --verify <foo.DIGESTS.asc> > $ sha1sum -c <foo.DIGESTS.asc>
I guess there is nothing for infra to do here.
*** This bug has been marked as a duplicate of bug 283402 ***
