On Sat, 2023-10-14 at 19:06 +0100, John Pilkington wrote: > On trying to verify the download, using > > https://fedoraproject.org/en/workstation/download/ > > I got a report that "17 lines are improperly formatted". As an example, the downloaded checksum file for one of the ISO files is this: -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 # Fedora-Workstation-Live-x86_64-38-1.6.iso: 2099451904 bytes SHA256 (Fedora-Workstation-Live-x86_64-38-1.6.iso) = 7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmQ5B+cACgkQgJqNfOsQ tGSmOBAAnQVdrztVVw+SPkJnY2bM8icmCZvEQxsN7zglhc6IubA710HtbO03vrsr 1p7V/DoSOOsegXd9KIH618Li/6O2zx6tELzhZVaHOKvT/xlM7jh/ZqcUVhop65Jy sXiCIdKabfyxkHoq0GBzsGGmU3n3GUlQmsNfvUXoghawUNKOE1+VgV4RLGEuUNrT 5IViT4Ct6Ojq+Sk9Gj9b7ghepRzQZ0ZpZJ19ms8pK2CEPHSEnKWOMGFp7Ho0iEzG 9u+DLY20De1GV8cdxQ+vCGcc8KL3wFHkZvZkU5TrlHODUa/+NvihdCzLtNuRM4u4 ckJo9WitN4FpySlv0WKR2jC3WTi1Zsw/lvR2uXv4DSsa9hdu2DpUOYCvCCIMtoXw j5lE4/2fNLlahsgD8NACtI3ulomM/VkhIHtGR7dT43jTCsrmkPSbTeGcwUSgGTjM vZ24gJHHb3y84jF6o3VbfNfHRAVZx3H02MQOlRlresleOgVXwWWwYroxGtdYSsQK p/bCOoaOlmFcrG7rLqR0SG1IqBhdW5egT/U/Et+7xPztbxR3SmRd8CShLYD2VTFp UAtn9w/qGAo/BSuS+5XPpAiX9KxOhhK01bB+Hc26tzAeEYp4O6382DVdTDmuvv/v IbQa9yao7yboowsKbe3Cv6axMlVqNcZsulawmQ2r8YVEzBPUrgQ= =7dH0 -----END PGP SIGNATURE----- The GPG check of that file verifies the message content with the signature content, and with the GPG key separately downloaded. If it passes that test you have a checksum file you can trust. The sha256sum test using that file knows how to use the SHA256 data in the message, but rest is gibberish to it. It complains about that. If the SHASUM agrees with your downloaded ISO file, you should also get a message about that. After GPG checking the checksum, you could delete all the PGP stuff from that file, and just keep the checksum info, and try the sha256sum test like that (for a less confusing output). To me, copying and pasting a checksum from a HTTPS page is less painful than this malarkey. Even just doing a checksum on the downloaded ISO and eyeballing the hash between it and what was written on a webpage is less annoying. And the old behaviour of having a dozen checksums for each different ISO file in the same text file was also a pain, you'd get one OKAY message (for the ISO you downloaded) buried in a lot error messages for all the other ISO files you didn't download. Even after this step, you've only verified what you download. If you write it to a USB drive, or a DVD, you still need to verify that *that* write worked fine. It's not just a verification about anti-tampering, it's verification against write errors. The verification procedures and instructions still need more thought. -- NB: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the list. The following system info data is generated fresh for each post: uname -rsvp Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53 UTC 2023 x86_64 _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
