BAD sig with Devuan Jessie 1.0.0-RC

Top Page
Attachments:
Message as email
+ (text/plain)
+ dump_170423_1642_g0n.pcap (application/vnd.tcpdump.pcap)
+ SHA256SUMS (text/plain)
+ SHA256SUMS.asc (application/pgp-encrypted)
+ signature.asc (application/pgp-signature)
Delete this message
Author: Miroslav Rovis
Date:  
CC: dng
Subject: BAD sig with Devuan Jessie 1.0.0-RC
I'm not inventing. But neither denying it might potentially be an issue
with my system, such as with my GnuPg or other, nor that it might be a
problem deriving, made on the network through which I downloaded the:

devuan_jessie_1.0.0-RC_amd64_DVD.iso

( $ wget \
https://files.devuan.org/devuan_jessie_rc/installer-iso/devuan_jessie_1.0.0-RC_amd64_DVD.iso
)

But let's get the possibility that the hash and sig files that I also downloaded
from:
https://files.devuan.org/devuan_jessie_rc/installer-iso/

are to blame.

The shortest is the network trace upon getting the BAD signature upon
verification, attached (minimal anonymization of just the MACs with done
on it as per my script dump_perl_repl.sh avalable at
https://github.com/miroR/uncenz ):

dump_170423_1642_g0n.pcap

which is all in cleartext (no SSL), because I redownloaded

wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
and
wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS

and I got the same hash as sig as before.

That don't lie. Fullstop. For that reason I'm rushing a little to send
this (I'm not a wizard to fake network conversation, so it should be
taken as truth that I got those a quarter of an hour ago, pls. allow
later errata), but here's more of actual pastes from my terminals:

$ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Sat 22 Apr 2017 09:44:23 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: BAD signature from "Denis Roio (Jaromil) <jaromil@???>" [unknown]
$ gpg --recv-keys 73B35DA54ACB7D10
gpg: key 73B35DA54ACB7D10: "Denis Roio (Jaromil) <jaromil@???>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ diff SHA256SUMS.asc SHA256SUMS.asc.1
$ diff SHA256SUMS SHA256SUMS.1
$ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Sat 22 Apr 2017 09:44:23 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: BAD signature from "Denis Roio (Jaromil) <jaromil@???>" [unknown]
$ 


$ cat SHA256SUMS | grep devuan_jessie_1.0.0-RC_amd64_DVD.iso > SHA256SUMS_CHECK

$ sha256sum -c SHA256SUMS_CHECK
devuan_jessie_1.0.0-RC_amd64_DVD.iso: OK
$

Do other readers get Jaromil's sig on that hash verified?

(I'm also attaching the SHA256SUMS.asc SHA256SUMS and don't verify here.)

--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
39ac1f1cdd007e998a99b6ba083ee230df1178c2675dff06356afd8724829e8c devuan_jessie_1.0.0-RC_amd64_CD.iso
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso
d418998acbae2a7c6a60430c6192e13da7c8ad14da4a63fafe3b08a79621914d devuan_jessie_1.0.0-RC_amd64_NETINST.iso
0e7b035065f8edb2382c33be399084db75310e24c8202f7eda0f6446d4cee243 devuan_jessie_1.0.0-RC_i386_CD.iso
c8503f5196a2fc5663d277f2e4741fed17028011bbb4cd1fcb1dfc0751036eb1 devuan_jessie_1.0.0-RC_i386_DVD.iso
ac8314c6289542f6dd988290a58f491c267aa7dfd0db98be4d974b70cef5dd4d devuan_jessie_1.0.0-RC_i386_NETINST.iso