Allen Kistler wrote: > I think that thread is talking about some other page than the one > that confused Jeff. In particular, this thread refers to changing > some string value on a page from "SHA1" to "SHA256." > > 1. If you alter a GPG-signed message, you've just screwed the > signature, since most of the value of the signature comes from being > able to verify that no one has changed the message. > > 2. Maybe it hasn't replicated, but I still see "SHA1" when I look at > the pages Jeff referenced. And BTW that's a good thing. > > Or am I the one confused? I'm looking at only those pages Jeff > lists above. That thread is on the mark. The fix that Jesse is referring to is likely that we'll add some text to the *CHECKSUM files explaining what checksum tool to use for verification, perhaps pointing to the page at https://fedoraproject.org/verify and some large print that says "USE sha256sum TO VERIFY THE CHECKSUMS, DESPITE ANY PGP 'Hash:' LINE YOU MAY SEE AND THINK YOU UNDERSTAND." :) Unfortunately, many, many people confuse the 'Hash: SHA1' line which is part of the PGP signature with the SHA256 checksum data that is in the *CHECHKSUM files. It would almost be better to just have detatched PGP signature files. That way, those who are not familiar with PGP would not ever see a 'Hash: SHA1' line to confuse them. Oddly, at some point the PGP signatures will be made using SHA256 as well and that will then match the checksum used for the .iso files. But as long as people conflate the PGP Hash header and the checksum used to create the clearsigned data, we'll have this problem. We've gotten a _lot_ of this question at the webmaster address. I never realized how many people made the flawed assumption that the PGP Hash: header had anything to do with the checksum data in the files. Please spread the message as much as possible that they are NOT related in ANY way. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Truth is like a well-known whore. Everybody knows her but it's embarrassing to meet her in the street. -- Wolfgang Borchert
Attachment:
pgprWxxw9bL8X.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
