First determine which key to use to check the digital signature.
That produces the error you already speicifed:
Code: Select all
gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
You need to copy the string behind 'RSA key' to your clipboard. Then you can fetch the proper key for that key ID:
Code: Select all
gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B
You should get a confirmation message that the proper key has been imported.
Now you can check the validity of the signature file and of the ISO key file
Code: Select all
gpg --verify SHA512SUMS.sign SHA512SUMS
This should report that the digital signature is valid and uncompromised. Furthermore, it should report that the contents of the SHA512SUMS file are also uncompromised and valid.
It looks a bit like this (the following doesn't show YOUR key ID and another digital fingerprint, but yours should look like this but with the proper values:
Code: Select all
gpg: Signature made wo 25 mrt 2020 10:31:37 CET
gpg: using RSA key F41D30342F3546695F65C66942468F4009EA8AC3
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
Now, you are ready to check the validity of the ISO file you downloaded:
This assumes that the downloaded iso is in the same directory and has the same name as is in the SHA512SUMS file. If it is not, rename the file to match. DO NOT EDIT the SHA512SUMS file as it will no longer be uncompromised then.
The program will take a while to read the entire ISO file and compute the key.
It should return with the name of your ISO file followed by "good" if both signature keys match or "bad" if there is a mismatch. In the latter case, DO NOT use that ISO.