On Fri, 2023-06-23 at 16:53 +0200, Julian Schreck wrote: > I was downloading the netimage of bookworm, the signing key(s) and > sha sums when I noticed that my timestamp of the signature [0] > differs from the one on the website. [1] > Is this a security issue or just a website not updated? >
You appear to be comparing two entirely different things, and expecting them to match. > - > [0] : > $ LC_ALL=C gpg --verify-files SHA512SUMS.sign > gpg: assuming signed data in 'SHA512SUMS' > gpg: Signature made Sat Jun 10 15:58:35 2023 CEST > gpg: using RSA key > DF9B9C49EAA9298432589D76DA87E80D6294BE9B > This is the date and time that the signature for the SHA512SUMS file was produced. Whereas this: [...] > [1] : https://www.debian.org/CD/verify, e. g. 2011-01-05 [SC] is the date when the key was created. It would be very surprising if they *did* match. Regards, Adam