Re: verifying Fedora 34 mate spin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 30 Oct 2021 at 03:14, Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,

Just trying to figure out how to verify the Fedora 34 mate spin.

Looking through the pages you get after going to the mate spin, it
suggests <https://spins.fedoraproject.org/en/verify>, the instructions
aren't coherent, and don't work as written.

There's what looks like it's simply a heading saying Verify 64-bit iso,
but that's actually a clickable link to download the checksum file.
Not well written.

Then it says to import the GPG keys.  That works.

$ curl https://getfedora.org/static/fedora.gpg | gpg --import

Then it sends you to another page to verify the GPG keys.

https://getfedora.org/en/security/

It gives the same curl command as above.

You are meant to download one -CHECKSUM file from the list on
the right side of the page:

% curl https://getfedora.org/static/fedora.gpg | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14180  100 14180    0     0  43496      0 --:--:-- --:--:-- --:--:-- 43496
gpg: key F55AD3FB5323552A: public key "Fedora (37) <fedora-37-primary@xxxxxxxxxxxxxxxxx>" imported
gpg: key 999F7CBF38AB71F4: public key "Fedora (36) <fedora-36-primary@xxxxxxxxxxxxxxxxx>" imported
gpg: key DB4639719867C58F: public key "Fedora (35) <fedora-35-primary@xxxxxxxxxxxxxxxxx>" imported
gpg: key 1161AE6945719A39: "Fedora (34) <fedora-34-primary@xxxxxxxxxxxxxxxxx>" not changed
gpg: key 49FD77499570FF31: "Fedora (33) <fedora-33-primary@xxxxxxxxxxxxxxxxx>" not changed
gpg: key 7BB90722DBBDCF7C: "Fedora (iot 2019) <fedora-iot-2019@xxxxxxxxxxxxxxxxx>" not changed
gpg: key 21EA45AB2F86D6A1: "Fedora EPEL (8) <epel@xxxxxxxxxxxxxxxxx>" not changed
gpg: key 6A2FAEA2352C64E5: "Fedora EPEL (7) <epel@xxxxxxxxxxxxxxxxx>" not changed
gpg: key 3B49DF2A0608B895: "EPEL (6) <epel@xxxxxxxxxxxxxxxxx>" not changed
gpg: Total number processed: 9
gpg:               imported: 3
gpg:              unchanged: 6
% wget2 https://getfedora.org/static/checksums/34/iso/Fedora-Workstation-34-1.2-x86_64-CHECKSUM
[0] Downloading 'https://getfedora.org/static/checksums/34/iso/Fedora-Workstation-34-1.2-x86_64-CHECKSUM' ...
Saving 'Fedora-Workstation-34-1.2-x86_64-CHECKSUM'
HTTP response 200 OK [https://getfedora.org/static/checksums/34/iso/Fedora-Workstation-34-1.2-x86_64-CHECKSUM]
% gpg --verify-files *-CHECKSUM
gpg: Signature made Fri 23 Apr 2021 04:37:01 PM ADT
gpg:                using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39
gpg: Good signature from "Fedora (34) <fedora-34-primary@xxxxxxxxxxxxxxxxx>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8C5B A699 0BDB 26E1 9F2A  1A80 1161 AE69 4571 9A39

This fingerprint agrees with the one for Fedora-Workstation-34 in the https://getfedora.org/en/security/
page.
 

Asks you to verify the checksum file is valid, but since you haven't
downloaded the checksum file you can't.  It imported it directly into
GPG.  There's no instructions that you need to *separately* download
the keys and verify them (if you want to verify them).  And, really,
you should do that step before importing them.  And, you're importing
unknown untrusted keys, anyway.

You are supposed to verify the signature against the ones at the bottom
of the page
 
Trying to follow that page is a hotchpotch of reading through the page,
scrolling up and down, referring to something written below the
instructions, going back to reread the instructions, and flick between
pages.  Fair enough to put the quick list of steps you'll go through at
the top, but put the full sequence, *in* the sequence that you'll do
it, further down the page.

Then going back to the verify page to try and figure out how to verify
the mate spin.  The wildcard "sha256sum -c *-CHECKSUM" command gives
you way too much output, there's lots of failed notices about the other
spins you don't have, with yours buried somewhere in the middle.
Surely there's a better way to filter that down to just show the output
of files its actually checking, rather than all the files it looked
for.

Sounds like you have "-CHECKSUM" files for lots of spins.
The wildcard pattern is easy for someone who has only one
.iso and -CHECKSUM file, but it is also easy to check just the
file you want to use.

I've gone through three different webpages just to verify one download.

Good security is not easy.  Bad actors rely on the human tendency to
take shortcuts.  

--
George N. White III

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux