Re: Upgrading to Fedora 38: Misleading 'verify' instructions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2023-10-14 at 19:06 +0100, John Pilkington wrote:
> On trying to verify the download, using
> 
> https://fedoraproject.org/en/workstation/download/
> 
> I got a report that "17 lines are improperly formatted".

As an example, the downloaded checksum file for one of the ISO files is
this:

 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256

# Fedora-Workstation-Live-x86_64-38-1.6.iso: 2099451904 bytes
SHA256 (Fedora-Workstation-Live-x86_64-38-1.6.iso) =
7a444a2e19012023bf0b015ae30135bafc5fd20f4f333310d42b118745093992
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmQ5B+cACgkQgJqNfOsQ
tGSmOBAAnQVdrztVVw+SPkJnY2bM8icmCZvEQxsN7zglhc6IubA710HtbO03vrsr
1p7V/DoSOOsegXd9KIH618Li/6O2zx6tELzhZVaHOKvT/xlM7jh/ZqcUVhop65Jy
sXiCIdKabfyxkHoq0GBzsGGmU3n3GUlQmsNfvUXoghawUNKOE1+VgV4RLGEuUNrT
5IViT4Ct6Ojq+Sk9Gj9b7ghepRzQZ0ZpZJ19ms8pK2CEPHSEnKWOMGFp7Ho0iEzG
9u+DLY20De1GV8cdxQ+vCGcc8KL3wFHkZvZkU5TrlHODUa/+NvihdCzLtNuRM4u4
ckJo9WitN4FpySlv0WKR2jC3WTi1Zsw/lvR2uXv4DSsa9hdu2DpUOYCvCCIMtoXw
j5lE4/2fNLlahsgD8NACtI3ulomM/VkhIHtGR7dT43jTCsrmkPSbTeGcwUSgGTjM
vZ24gJHHb3y84jF6o3VbfNfHRAVZx3H02MQOlRlresleOgVXwWWwYroxGtdYSsQK
p/bCOoaOlmFcrG7rLqR0SG1IqBhdW5egT/U/Et+7xPztbxR3SmRd8CShLYD2VTFp
UAtn9w/qGAo/BSuS+5XPpAiX9KxOhhK01bB+Hc26tzAeEYp4O6382DVdTDmuvv/v
IbQa9yao7yboowsKbe3Cv6axMlVqNcZsulawmQ2r8YVEzBPUrgQ=
=7dH0
-----END PGP SIGNATURE-----

The GPG check of that file verifies the message content with the
signature content, and with the GPG key separately downloaded.  If it
passes that test you have a checksum file you can trust.

The sha256sum test using that file knows how to use the SHA256 data in
the message, but rest is gibberish to it.  It complains about that.  If
the SHASUM agrees with your downloaded ISO file, you should also get a
message about that.

After GPG checking the checksum, you could delete all the PGP stuff
from that file, and just keep the checksum info, and try the sha256sum
test like that (for a less confusing output).

To me, copying and pasting a checksum from a HTTPS page is less painful
than this malarkey.  Even just doing a checksum on the downloaded ISO
and eyeballing the hash between it and what was written on a webpage is
less annoying.  And the old behaviour of having a dozen checksums for
each different ISO file in the same text file was also a pain, you'd
get one OKAY message (for the ISO you downloaded) buried in a lot error
messages for all the other ISO files you didn't download.

Even after this step, you've only verified what you download.  If you
write it to a USB drive, or a DVD, you still need to verify that *that*
write worked fine.  It's not just a verification about anti-tampering,
it's verification against write errors.

The verification procedures and instructions still need more thought.

-- 
 
NB:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the list.
 
The following system info data is generated fresh for each post:
 
uname -rsvp
Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53
UTC 2023 x86_64
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux