Learn more about these different git repos.
Other Git URLs
The actual procedure to test downloads is: https://fedoraproject.org/verify The signature is inside the checksum file. Which results in the following Warnings that could be miss read:
{{{ sha256sum: WARNING: 20 lines are improperly formatted sha256sum: WARNING: 7 listed files could not be read }}}
There is two ways to avoid that: Forcing people to check the sig by downloading the checksum.asc file, checking it with gpg, then run sha256 to check the output file. Using a detached signature to make it faster for people that does not want to check the sig (and import it). The first solution could be used that way if we use clear-sig.
Therefore, the idea would be to go for first solution. One would check the ISO by: importing the Fedora signature: curl https://fedoraproject.org/static/fedora.gpg | gpg --import downloading the checksum.asc file that would have been created with gpg -s --clearsign checksum for example. checking the sig and exporting the checksum file gpg checksum.asc doing the checksum test: sha256sum -c checksum
curl https://fedoraproject.org/static/fedora.gpg | gpg --import
gpg -s --clearsign checksum
gpg checksum.asc
sha256sum -c checksum
The following process for people just wanting to check the file without the sig will just be dowloanding the ISO, computing the checksum manually on the file, and comparing the output manually on the online clear signature file. We will still have the warning for missing files, but at least the "20 lines are improperly formatted" will be dropped and won't afraid people anymore.
Oops, sorry to burden, I should have seen that before. I had wrong assumptions. The actual checksums are already what I propose we just have to correct the doc or rename the checksum file adding the correct .asc extension.
What would be the best way to check: extract the checksums in an other file, then run sha256 in that file, or directly using the gpg output? see The example bellow
{{{ $ gpg --output - Fedora-18-x86_64-Spins-CHECKSUM| sha256sum -c sha256sum: Fedora-18-x86_64-Live-Design-suite.iso: No such file or directory Fedora-18-x86_64-Live-Design-suite.iso: FAILED open or read sha256sum: Fedora-18-x86_64-Live-Electronic-Lab.iso: No such file or directory Fedora-18-x86_64-Live-Electronic-Lab.iso: FAILED open or read gpg: Signature made Fri Jan 11 19:13:59 2013 CET using RSA key ID DE7F38BD gpg: Good signature from "Fedora (18) fedora@fedoraproject.org" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7EFB 8811 DD11 E380 B679 FCED FF01 125C DE7F 38BD Fedora-18-x86_64-Live-LXDE.iso: OK sha256sum: Fedora-18-x86_64-Live-Robotics.iso: No such file or directory Fedora-18-x86_64-Live-Robotics.iso: FAILED open or read sha256sum: Fedora-18-x86_64-Live-Scientific-KDE.iso: No such file or directory Fedora-18-x86_64-Live-Scientific-KDE.iso: FAILED open or read sha256sum: Fedora-18-x86_64-Live-Security.iso: No such file or directory Fedora-18-x86_64-Live-Security.iso: FAILED open or read sha256sum: Fedora-18-x86_64-Live-SoaS.iso: No such file or directory Fedora-18-x86_64-Live-SoaS.iso: FAILED open or read sha256sum: Fedora-18-x86_64-Live-XFCE.iso: No such file or directory Fedora-18-x86_64-Live-XFCE.iso: FAILED open or read sha256sum: WARNING: 7 listed files could not be read }}}
we have been signing the CHECKSUMs the same way since day 1, this is an area i am not willing to change
Metadata Update from @shaiton: - Issue set to the milestone: Fedora 19 Alpha
Login to comment on this ticket.