what does the nsa have to do with a bad download?
-
when you do the gpg --verify cmd you are verifying the DIGESTS file has not been tampered. keep this in mind
-
when you do the sha1/md5/etc cmds you are checking the ISO file hash against what is in the DIGESTS file.
-
if the DIGESTS file has a good sig and sha256 hashes match what is in the DIGESTS file, only then can you say you have a good iso file that has been verified
you cant verify sigs if you are messing with the file.
you have not obtained the DIGESTS file correctly. if DIGEST-2 was a good sig, based on the diff you have against the DIGEST-CP, line 4 was deleted in your copy/paste. you will see there is 2 line breaks after the ‘Hash: SHA256’ line in the proper file. you are missing one.
how are you downloading the DIGESTS file? a simple wget should be all you need.
- wget the iso
- wget the DIGESTS
- verify the DIGESTS sig with gpg --verify
- verify the sha256sum of the iso matches what is in the DIGESTS
- install