#196 Fedora 33 aarch64 can't be cryptographically verrified (CHECKSUM is unusable)
Closed: Can't fix 3 years ago by chrismurphy. Opened 3 years ago by axels.

Hi,

I've just downloaded Fedora 33 aarch64 and went to verify it.

Unfortunately, verification is not possible.

The CHECKSUM file:
- contains no GPG-signed data, just a SHA256 hash
- refers to a different file than the one offered for download:
-- CHECKSUM: SHA256 (Fedora-Workstation-Live-aarch64-33-1.2.iso) = e84afdc3156e603696d757de838f2669a3177ea4907facda3ae601ca7f1c6c0c
-- Fedora 33: aarch64 raw image: https://download.fedoraproject.org/pub/fedora/linux/releases/33/Workstation/aarch64/images/Fedora-Workstation-33-1.2.aarch64.raw.xz
Notice

aarch64 is not offered for download as an ISO file but as raw data, compressed with XZ.

Looks like something went wrong somewhere!


Traditionally Fedora aarch64 only been offered as a raw xz image (I mean prior to 33 afaik), but I do see:
https://dl.fedoraproject.org/pub/fedora/linux/releases/33/Workstation/aarch64/iso/Fedora-Workstation-Live-aarch64-33-1.2.iso
along with a signed CHECKSUM file, though I haven't tried to verify it.

Maybe it is missing from your mirror (since it is a new file)?

Thanks for the answer, @petersen.

I'm not using a mirror, my path is this:
https://getfedora.org/, click on "Download Now" in the Workstation section, this takes me to
https://getfedora.org/en/workstation/download/ where i click "Download" next to "Fedora 33: aarch64 raw image", which is a link to
https://download.fedoraproject.org/pub/fedora/linux/releases/33/Workstation/aarch64/images/Fedora-Workstation-33-1.2.aarch64.raw.xz

While i appreciate your suggestion (it lead me to the right CHECKSUM file), this bug report is to fix what the vast majority of people hoping to try Fedora on a Raspberry Pi 4 will experience.

Given that just below the download links it proclaims "we take security seriously", we should fix this quickly, it doesn't look very serious :)

But the fix is simple: have the link "Fedora 33 aarch64 CHECKSUM" on https://getfedora.org/en/security/ point to the right file

By the way, it's the same issue for Fedora Server aarch64 on https://getfedora.org/en/security it leads to a CHECKSUM file with no PGP data, just hashes.

Metadata Update from @chrismurphy:
- Issue close_status updated to: Can't fix
- Issue status updated to: Closed (was: Open)

3 years ago

Hi @chrismurphy, could you explain why this can't be fixed?

Oh, just saw the other two bugs you opened. Got it.

Login to comment on this ticket.

Metadata