mike wrote: > I have a real basic question about verifying your download for Fedora 7, > 8 and 9. I'm new to keys, signatures, certification, etc. and I haven't > been able to find what I need in the Fedora help resources. Apologies > if this is the wrong place to post or if a similar post appears (not > sure that it was lost). > > The following is for Fedora 9. I downloaded the iso on May 8th and > SHA1SUM on September 2 from the Kent mirrorservice in the UK. > > If I follow the instructions at http://fedoraproject.org/en/verify I get: > > [mike@desktop iso]$ gpg --verify SHA1SUM > gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2 > gpg: Good signature from "Fedora Project <fedora@xxxxxxxxxx>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2 > [mike@desktop iso]$ > > My question is do I need to worry about the lack of certification? That really depends on how cautious you want to be. > If I do how do I check that the signature is certified? You can verify the fedora gpg keys by following the steps at: https://fedoraproject.org/en/keys The key used to sign the Fedora 9 and earlier isos is now in the "Obsolete keys" section, but the fingerprint information on that page is still accurate. > Also, does this have anything to do with the migration to new > package keys? Nope. Though if you download Fedora 10 Beta, you'll find that it is signed with a new key, which is not mentioned on the /verify page. This will hopefully be fixed¹ before Fedora 10 is released. ¹ https://fedorahosted.org/fedora-infrastructure/ticket/888 -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A cynic is a man who, when he smells flowers, looks around for a coffin. -- H. L. Mencken
Attachment:
pgpUT1xeF4Q0d.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines