Re: FWD: [Fedora-freemedia-list] SHA1 vs SHA256...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



susmit shannigrahi wrote:
> Can you please help with this?
> Thanks.
> 
> ---------- Forwarded message ----------
> From: Jeff Shepherd
> Date: Wed, Nov 18, 2009 at 1:07 PM
> 
> Is it just me, or are the checksums to verify the Fedora 12 discs
> incorrectly listed here on these pages:
> 
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
> https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
> 
> The page says that it's SHA1, but my SHA1 looks nothing like those and
> the SHA256 matches exactly.  I've verified this on Windows & Fedora
> 11.
> 
> At first I thought I had a bad download, so I downloaded again, only
> to find that these are not SHA1 checksums, they're SHA256.
> 
> Can anyone else confirm?  Can anyone shed light as to why the page
> says SHA1 when it's SHA256?  How do we go about getting this
> corrected?

For the benefit of context (mind any line wrap):

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7 *Fedora-12-i386-DVD.iso
> 2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace *Fedora-12-i386-disc1.iso
> ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7 *Fedora-12-i386-disc2.iso
> 8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36 *Fedora-12-i386-disc3.iso
> 07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b *Fedora-12-i386-disc4.iso
> dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb *Fedora-12-i386-disc5.iso
> 128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9 *Fedora-12-i386-netinst.iso
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iQIVAwUBSvurkZ0cw0hXu8y6AQIdQw//WuT1eE5LUzN3tBnBJzMsvD90/gz1kM0A
> 4qtM+SSRjrx0MwkVkP5spO/xfkk7sncTE51Bl88lDAvpC/00b+u3MQEya9aApZyT
> CmggKB/bmozQyX3C7HbXwUIMrCRmNVkYCkgQKLQd/MK+r73dXCuHNpyfeBSuZGsy
> iCpX003Wu6U92jlwljBkgU+FrgJwAmr6b7hEurQaf2fqmN1d4Nh+llwqOEIykd5A
> Ci1ApI05NBEX/z9KG+WR+YtCuRqUwD6U5SrjBSQD86NGLcsJ49gBrbu1um3cUvlC
> YRvCjT4zDBn32au+pBKXjlQf4TrCt3SooYnmf0D+1iefrN0Sijpft+bQ26poSjkp
> pj+wnVkUg2shfm+0imiPIGos6cJRmj0o4w3CzyDs6sOIcIcYB4ohyFasczsjYT40
> LSCcKBFZXNEw8OogcoPZpp79Yr7iX0C0JQ45xgzPrDegKSLVkTvpXyHCbmd21Zkz
> oPu2kFoR+tEVPfESVFqSqnYJC/TtwokEHbaVCUEpP44L3PpGiVTqK/uZnReQRbLM
> ZuMtXRa2j3i0iSlEKfAS0L+9mvWzGzp8UOQzH7UyZgb0RKfVRYcHW0oXpfMqFD9C
> IA/0pgDQNnQRq3OPxnjHfNKAtezfNBaaU45xA9gA2olzzVrhzgXKjn3MRK2tyrlA
> XpaHoVKUVFU=
> =HttN
> -----END PGP SIGNATURE-----


"Hash: SHA1" refers to the hash in the PGP signature, not the hash
values of the iso images.  The way digital signatures work, first you
take a hash of the message, which is this part:

> f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7 *Fedora-12-i386-DVD.iso
> 2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace *Fedora-12-i386-disc1.iso
> ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7 *Fedora-12-i386-disc2.iso
> 8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36 *Fedora-12-i386-disc3.iso
> 07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b *Fedora-12-i386-disc4.iso
> dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb *Fedora-12-i386-disc5.iso
> 128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9 *Fedora-12-i386-netinst.iso

So what hash do you take of that?  SHA1

The message body could be a uuencoded jpg of your mother kissing Mickey
Mouse at Disneyland.  It doesn't matter.  If it's digitally signed,
there will be a line that says "Hash: SHA1" just after the start of the
message delimiter.  Don't be distracted by the fact that the message in
this case is a list of some other hash values, which happen to be SHA256.

After taking the hash of the message, you encrypt it with the private
key of the signer.  That's the signature included within the signature
delimiters.  The signer in this case is Fedora 12 itself with key ID
57bbccba.  You can get the public GPG keys (for verification) from

https://fedoraproject.org/static/fedora.gpg

HTH

I don't subscribe to fedora-freemedia-list, so feel free to repost this
response there.  Apologies to your mother, if required, as well.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux