Bug 32464

Summary: Wrong "gpg --verify" parameters in www.mageia.org/xy/downloads
Product: Websites Reporter: Christian C <bugzzzz>
Component: www.mageia.orgAssignee: Atelier Team <atelier-bugs>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal    
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.mageia.org/en/downloads/get/?q=Mageia-9-x86_64.iso
Whiteboard:
Source RPM: CVE:
Status comment:

Description Christian C 2023-10-28 19:57:57 CEST 
Description of problem:
The Download page gives the followinf command line to verify the signature of the sha512 sum associated to Mageia-9-x86_64.iso :
"gpg --verify Mageia-9-x86_64.iso.sha512.gpg Mageia-9-x86_64.iso.sha512"

But when run, the command failed to verify the signature :
$ gpg --verify Mageia-9-x86_64.iso.sha512.gpg Mageia-9-x86_64.iso.sha512
gpg: not a detached signature

It seems that the right command is :
$ gpg --verify Mageia-9-x86_64.iso.sha512.gpg
gpg: Signature made Thu Aug 24 23:26:08 2023 CEST
gpg:                using RSA key B21076A0CBE4D93D66A9D08D835E41F4EDCA7A90
gpg: Good signature from "Mageia Release <release@mageia.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B210 76A0 CBE4 D93D 66A9  D08D 835E 41F4 EDCA 7A90

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.