Hi Anirban, Anirban Brahmachari wrote: > Take a close look at the 32 bit signature value on the page http:// > fedoraproject.org/en/verify and compare them with those on http:// > fedoraproject.org/en/keys . See the values marked in bold, red and > underlined below. Bold, red, and underlined don't show so well for me. I use mutt in a terminal for my mail. I'm a text only type of guy. ;) > I believe they should match up. Actually, they shouldn't. Allow me to explain why I believe that... > On http://fedoraproject.org/en/verify : > "4F2A6FD2 - Fedora 9 and earlier" > > On http://fedoraproject.org/en/keys : > """ > > RPM-GPG-KEY-fedora-8-and-9-primary > > pub 1024D/6DF2196F 2008-08-27 > Key fingerprint = 4FFF 1F04 010D EDCA E203 591D 62AE C3DC 6DF2 196F > uid Fedora (8 and 9) <fedora@xxxxxxxxxxxxxxxxx> > sub 4096g/9E198F60 2008-08-27 > > • Download: Fedora Project > • Download: keys.gnupg.net > > RPM-GPG-KEY-fedora-test-8-and-9-primary > > pub 1024D/DF9B0AE9 2008-08-27 > Key fingerprint = C0E7 128E 9072 96CA AE31 78A2 8E69 3B4D DF9B 0AE9 > uid Fedora (8 and 9 testing) <fedora@xxxxxxxxxxxxxxxxx> > sub 4096g/80E34F98 2008-08-27 > > • Download: Fedora Project > • Download: keys.gnupg.net > > """ > > See the slight difference ? I do. The reason for this is that the original key used to sign Fedora 9 and earlier releases was exposed during an infrastructure intrusion in August of 2008¹. New keys were generated and used to resign all previous Fedora 8 and 9 packages. Those keys are 6DF2196F and DF9B0AE9. However, the SHA1SUM files for these releases were not resigned for various reasons. So the information on fp.o/verify is still correct for verifying Fedora 9 and earlier release .iso files. ¹ http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html > The other values on these 2 pages match up properly. I understand > that it is for an older release of the OS and does not matter much > but then, I once had to downgrade from Fedora 10 to Fedora 9 because > the new version would lock up on boot on some of the machines that I > manage. I think it does matter for any supported release, so thanks for reporting it. If the information was incorrect we'd want to fix it. Fortunately, in just a few weeks Fedora 9 will reach the end of its life and the confusing key information can be removed from fp.o/verify and the keys details moved to the 'obsolete' section on fp.o/keys. > Thank you for the enthusiasm and fast response. I hope that I won't > be labelled as a nitpicker ;-) You say that as if being a nitpicker is a bad thing. :) When it comes to important details like GPG keys and .iso verification, it's quite good to be picky. Please don't hesitate to correct me if I'm wrong on any of the above. As much as I'd like to claim otherwise, I am still mistaken on occasion. ;) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Entropy just isn't what it used to be.
Attachment:
pgpRWPfVIDujk.pgp
Description: PGP signature
-- Fedora-websites-list mailing list Fedora-websites-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-websites-list