I was told to post this here: https://pagure.io/fedora-workstation/issue/406#comment-888479
Fedora-Workstation-39-1.5-x86_64-CHECKSUM doesn't have any GPG data, so checking the download integrity isn't possible.
$ gpgv --keyring ./fedora.gpg Fedora-Workstation-39-1.5-x86_64-CHECKSUM gpgv: no valid OpenPGP data found. gpgv: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line
Unfortunately I can't report this in the Fedora Websites repo, because Gitlab.com now demands a phone number to complete registration and I refuse do to that.
Here is the file open in Text Editor:
<img alt="b68a82262a445f8f79b6d430ff25258c21a93bdd18ebc106bb0da7cbcd13e6e6-Screenshot_from_2023-12-18_16-12-00.png" src="/fedora-infrastructure/issue/raw/files/b68a82262a445f8f79b6d430ff25258c21a93bdd18ebc106bb0da7cbcd13e6e6-b68a82262a445f8f79b6d430ff25258c21a93bdd18ebc106bb0da7cbcd13e6e6-Screenshot_from_2023-12-18_16-12-00.png" />
Where did you get that file?
The one on the master mirrors is definitely signed:
https://dl.fedoraproject.org/pub/fedora/linux/releases/39/Workstation/x86_64/iso/Fedora-Workstation-39-1.5-x86_64-CHECKSUM
and thus the ones on the mirror network also should be... at least the checksum looks correct. ;(
From torrent.fedoraproject.org
Indeed. the checksum there is not the signed one. ;(
In practice this isn't a major issue as you are downloading the torrent file over https and it has the correct checksum, so it's impossible to download a different item, it's of couse still not right. ;(
Releng folks: can we make sure we use the signed checksum for torrents and redo the f39 ones with the signed checksum?
CC: @humaton @jnsamyak
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review)
Silverblue 39 checksum file also doesn't have GPG data, so it seems that all ISOs from version 39 are affected.
Hello folks,
I have been away from the holidays for the last week, so I missed your mention until now; I'll keep this on my list and will get back here once I try to sort this out! thanks for your patience
Metadata Update from @zlopez: - Issue tagged with: high-gain, medium-trouble, ops
Metadata Update from @jnsamyak: - Issue assigned to jnsamyak
Hi folks, thanks for your patience on this ticket, I got caught up in the release process work, apologies!
Here are the directories in which checksum files are now updated to the signed one, hopefully, this should be fixed now if someone can verify it would be great, I am not sure how much time it will take for changes to get reflected but I assume should not be more than a day! If there are any more issues, please let me know!
I'll close this ticket as fixed if there are any queries, feel free to open it!
Metadata Update from @jnsamyak: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
I downloaded Fedora-Workstation-Live-x86_64-39.torrent and the CHECKSUM file still doesn't contain any GPG data. :(
Fedora-Workstation-Live-x86_64-39.torrent
Metadata Update from @ananas-comosus: - Issue status updated to: Open (was: Closed)
Hello, thanks for confirming!
I checked again the checksum file for this looks signed not sure if it takes some time to update/reflect, I'll debug more :3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 # Fedora-Workstation-Live-x86_64-39-1.5.iso: 2129752064 bytes SHA256 (Fedora-Workstation-Live-x86_64-39-1.5.iso) = af52046e43c6f06afd3456d2a9a36dd9782fcb204f05a21b1c31f593db36a8e8 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE6PI5lvIyGGQMtEy+dc9axBi450wFAmVFCXQACgkQdc9axBi4 50wb4A//RtwS7CQh1F7xhpZJJ76Na1+9HcFK2P1mcmpJ5dvhAxBgU2GIreFPqNq3 Fu90S/LKsXIk96zfP8pkdcioJXI8s2X+XhU1Uguak8tyYtJqD1/8/uoIH3NQpf8Z PcQI8PjSTg5dIAGDN9qucURGTRfbNHdU1tp7HkXOxW5C6mZ4FKD+2sGQLgR/k8DZ 7zug7CL9nLEtFnR+1M/osZZk2S9gfRHRM1vHUim60w7P7eKPWOr4H9dmSWzR2hr8 iuJDKO6Uom58gPr5iMORZ3I4zEFLbK1rBLI6Jraf01mZRRMW1oB4Tx6TUniZ9biB ayNex4Ua3j+Q6ORJ8HN9fED0gDuvSLOSj8F/ML2GhYXsm+Sr852ahjVYLW3a2aXt h7RBopLJgUj7dHwI+b/cj+cBCm/SqXUjom7qCRdNuPXaAwOnLAxNyDbRP91gT0Kt AawDpylOAnBes6Ogm4Gaaw+nayP22RThC42+ZcDFC9gKWlT3bN/ltVb/50QH9lSf oMvuhJd0Remqr41L3Ge1gw6+jG8ziz9WWVKURr1gsIX0FSeZqLRp1caraF2bM/kv /m3IYOE8/7x2fM9TWmIeX0Ud+Ig6Jm0OLz14LOFNzYh9lL1HZYvS318ESD8ORdeA q24gyu1vHrwTlozY/PkR0L78e41yJ+cd0cjObscA7RKuCV60hmI= =Lklu -----END PGP SIGNATURE----- /srv/torrent/new/fedora/Fedora-Workstation-Live-x86_64-39/Fedora-Workstation-39-1.5-x86_64-CHECKSUM (END)
yeah, the torrents still have the unsigned ones. ;(
So, we likely need to regenerate things somewhere...
yeah I debugged it why this happened, after syncing the checksums properly we need to generate them again :)
Metadata Update from @jnsamyak: - Issue untagged with: medium-trouble - Issue tagged with: high-trouble
Okay, have regenerated torrents and have placed them at dedicated places, so hopefully this should be fixed now! But again, if there is any issue, feel free to open this; The creation took some time because we migrated our machines from rhel7->9 but we are all good now hopefully!
It's fixed, yes! Thanks for working on this! Also, the date of all torrents from F39 are now "2023-04-17", unlike before where the date didn't change.
Yeah, thats the date the torrent was generated... so thats when the ones with the fixed checksum files were generated.
It shouldn't matter any I hope? or is there some problem you are seeing with them?
Log in to comment on this ticket.