Okay, Trying to verify the alpha netinst.iso, I seem to have forgotten the way these files work, again. ---- gpg --verify Fedora-15-Alpha-i386-CHECKSUM Fedora-15-Alpha-i386-netinst.iso gpg: not a detached signature --- This is telling me that the CHECKSUM combines the signature and the checksum. I looked inside the CHECKSUM (actually seeing the contents instead of just checking that there was something there). The list of files and checksums is in there with the signature. That's why it's not a detached signature. On Wed, Apr 6, 2011 at 8:58 AM, Joel Rees <joel.rees@xxxxxxxxx> wrote: > On Wed, Apr 6, 2011 at 12:14 AM, Ed Greshko <Ed.Greshko@xxxxxxxxxxx> wrote: >> On 04/05/2011 11:12 PM, Ed Greshko wrote: >>> On 04/05/2011 10:43 PM, Joel Rees wrote: >>>> How does one verify boot.iso for the alpha version? >>>> >>>> I've imported the key file, but I don't see a proper signature or an >>>> sha256 checksum. >>> I downloaded from a mirror and it was there.... >>> >>> e.g. >>> ftp://ftp.isu.edu.tw:0/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM >>> >> >> Sorry.... That should have read... >> >> ftp://ftp.isu.edu.tw/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM > > Hmm. > > I see that I was looking in a different place. I was looking at > > linux/development/15/i386/os/images/boot.iso , and this is > > linux/releases/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-netinst.iso > (or the DVD). > > Okay, just for fun, I played games linking (symbolic) boot.iso to > Fedora-15-Alpha-i386.iso and gpg says this: That would have been ---- ln -s boot.iso Fedora-15-Alpha-i386.iso gpg --verify Fedora-15-Alpha-i386-CHECKSUM ---- > gpg: Signature made Thu 03 Mar 2011 12:34:51 PM JST using RSA key ID 069C8460 > gpg: Good signature from "Fedora (15) <fedora@xxxxxxxxxxxxxxxxx>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 25DB B54B DED7 0987 F4C1 0042 B4EB F579 069C 8460 which tells me, that the signature on the checksums is valid. So, now I need to actually run sha256sum or openssl sha256 on the file and compare the signatures. sha256sum Fedora-15-Alpha-i386.iso > checksum15.text vi Fedora-15-Alpha-i386-CHECKSUM checksum15.text and yy the checksum from the one and p it in the other and eyeball it -- they match, and now I know they match. Yep. I've forgotten how to use gpg again. I hate getting old. > but I don't find either the key or the fingerprint at > https://fedoraproject.org/keys. > > I guess I'm going to download the netinst iso now. For what it's worth, I cmp-ed the boot.iso and the netinst.iso and they are definitiely not the same. Not sure whether I expected them to be. So, now I have a netinst image with a very high probability of being valid, and I go back and look at gPXE and the BFO stuff, and I'm more than half thinking I want to go that route instead. Maybe. Sorry for the noise, but I'm going to post this, to leave myself another note. Maybe I'll someday get myself to remember that gpg does not automatically look at the file list and run the checksum step. Joel Rees -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
