-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/27/2016 09:10 PM, Dan Haskell wrote: > Downloaded iso of the server edition. Tried to verify following > instructions and failed. First your key is not certified. > >> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM > gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA key > ID 34EC9CBA gpg: Good signature from "Fedora (23) > <fedora-23-primary@xxxxxxxxxxxxxxxxx>" [unknown] gpg: WARNING: This > key is not certified with a trusted signature! gpg: There > is no indication that the signature belongs to the owner. Primary > key fingerprint: EF45 5106 80FB 0232 6B04 5AFB 3247 4CF8 34EC > 9CBA > > Second, it appears to be the wrong key(?) > >> ls > Fedora-Server-23-x86_64-CHECKSUM Fedora-Server-DVD-x86_64-23.iso > >> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM > Fedora-Server-DVD-x86_64-23.iso: OK sha256sum: > Fedora-Server-netinst-x86_64-23.iso: No such file or directory > Fedora-Server-netinst-x86_64-23.iso: FAILED open or read sha256sum: > WARNING: 20 lines are improperly formatted sha256sum: WARNING: 1 > listed file could not be read > > > Couldn't you just provide a md5sum instead? The gpg stuff is cool > and all, but when it fails... give us something to work with. > Clicked on support, but it's just a link to a BUNCH of forums. Not > helpful. > > Dan > > > -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraprojec t.org Dan, First > thanks for your concern and actually checking the files. 1) The not signed by a trusted signature is on your end , see the [unknown] at the end of this line: gpg: Good signature from "Fedora (23) > <fedora-23-primary@xxxxxxxxxxxxxxxxx>" [unknown] That indicates the signature is valid however is NOT in your local key-store as a trusted key (aka Set Owner Trust is set to unknown / I do not know ) As a add-on to Robert's reply: 2) the part of using a md5 from a security stance is a no-go, reason being multi-fold * md5 is known easy to spoof -- kinda defeats the purpose of using it doesn't it. * sha256 is irreversible crypto that takes Owner / time-stamp and source file and verifies all three with the generation and check. * if you wish to have a md5 for local use running (sha256sum to confirm ISOs are in fact genuine) "sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso" and "sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso" THEN ''md5sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso > /some_local_use_hash_store" and "md5sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso > /some_local_use_hash_store" however for the reasons aforementioned the official project page will not be providing md5sums for its official General Availability release (or any release) ISOs sorry. In addition failing to make available md5sum helps us prevent being on the unlucky end of incidents like the folks that provide Linux Mint Back in February [1] [1] http://blog.linuxmint.com/?p=2994 - ---Warm Regards --- Corey Sheldon P: +1 (310) 909 7672 PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora) https://gist.github.com/linux-modder/ac5dc6fa211315c633c9 Disclaimer: This document, including attachments, is intended for the person(s) named within and may contain confidential and/or legally privileged information, and may occasionally include Intellectual Property / Embargoed Content. it is request that all emails regardless of topic or content are regarded in this manner. Unauthorized disclosure, copying / distribution of this information may be unlawful and is prohibited, including unsolicited Cc/Bcc. If you are not the intended recipient, please disregard and destroy this message and if the recipient is known to you please inform them, and a return email indicating a improper recipient IS requested so that I may remove you from any lists, conversations such error may have created / allowed. Use of OpenGPG keys are highly encouraged my keys can be found @ hkp://keys.gnupg.net & hkp://keys.fedoraproject.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EARYIAAYFAlcmCR0ACgkQrio19Q2QBZBngAD/eAijUyXzcD+VIRnQqZYQl4wO +otlRctOWZaXD9kOYkYA/3UO3FzBCqvhscmU8yf7UVuT9ik6DEGr4uzeJymwgcEI =ybjw -----END PGP SIGNATURE----- -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/websites@xxxxxxxxxxxxxxxxxxxxxxx