On Tue, Jun 16, 2009 at 1:17 PM, Todd Zullinger<tmz@xxxxxxxxx> wrote: > Aldo Foot wrote: >> The filename "Fedora-11-i386-CHECKSUM" is arbitrary. You can call it >> anything you want as long as it has the contents of the GPG key >> provided by the distro[1], just click on the checksum link and copy >> its contents to a text file. >> >> [1] http://mirrors.kernel.org/fedora/releases/11/Fedora/i386/iso/ > > At the risk of causing more confusion, I don't think that's correct. > The contents of the GPG key are _not_ included in the *CHECKSUM files. > The contents are the sha256sum hashes of the files in release, and > they are signed with gpg so that you can first verify that the > CHECKSUM file came from the Fedora Project and then feel confident > using the file to verify the checksums of the .iso files. > > The steps to do this are covered at https://fedoraproject.org/verify . > Thanks for the correction. I was thinking of the words "PGP SIGNATURE" that appear in the contents of the checksum file. The file contains hash values, which are not to be confused with gpg keys. ~af -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
