OK Thanks! Yes that is not clear but makes sense about the PGP signature tag for the CHECKSUM file itself. It is just confusing to see it immediately above the hash values in the in the file. It suggests that they're SHA1 hashes. Most folks won't perform the gpg --verify against the signature file as we've downloaded it directly, and will read the hashes as provided against whatever hash utility they've got to verify a clean/complete download. Regards, Stuart Foote -----Original Message----- From: Ricky Zhou [mailto:ricky@xxxxxxxxxxxxxxxxx] Sent: Thursday, November 19, 2009 1:40 PM To: V Stuart Foote Cc: webmaster@xxxxxxxxxxxxxxxxx Subject: Re: New Fedora 12 checksum are listed as SHA1 but are SHA256 Hash On 2009-11-19 01:24:00 PM, V Stuart Foote wrote: > The posted checksums to verify ISOs for at least the i386 ISOs > suggests the Hash is SHA1, but the value is SHA256 for the > Fedora-12-i386-DVD.iso, suspect they may all be SHA256 > > https://fedoraproject.org/en/verify > > https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM > > Probably should correct the mislabeled entry(s). This is a common misconception. The Hash: SHA1 line is part of the PGP signature. It has no relation to the sha256 checksum data in the *-CHECKSUM files. https://fedoraproject.org/verify has details on how to verify downloads and does point out that sha256sum is what should be used. We're discussing ways to make this clearer in future releases so that folks don't mistake the PGP Hash header as the hash used for the .iso images. Thanks, Ricky -- Fedora-websites-list mailing list Fedora-websites-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-websites-list