Re: Download verification broken

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 09:10 PM, Dan Haskell wrote:
> Downloaded iso of the server edition. Tried to verify following 
> instructions and failed. First your key is not certified.
> 
>> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA key
> ID 34EC9CBA gpg: Good signature from "Fedora (23) 
> <fedora-23-primary@xxxxxxxxxxxxxxxxx>" [unknown] gpg: WARNING: This
> key is not certified with a trusted signature! gpg:          There
> is no indication that the signature belongs to the owner. Primary
> key fingerprint: EF45 5106 80FB 0232 6B04  5AFB 3247 4CF8 34EC
> 9CBA
> 
> Second, it appears to be the wrong key(?)
> 
>> ls
> Fedora-Server-23-x86_64-CHECKSUM  Fedora-Server-DVD-x86_64-23.iso
> 
>> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
> Fedora-Server-DVD-x86_64-23.iso: OK sha256sum:
> Fedora-Server-netinst-x86_64-23.iso: No such file or directory 
> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read sha256sum:
> WARNING: 20 lines are improperly formatted sha256sum: WARNING: 1
> listed file could not be read
> 
> 
> Couldn't you just provide a md5sum instead? The gpg stuff is cool
> and all, but when it fails... give us something to work with.
> Clicked on support, but it's just a link to a BUNCH of forums. Not
> helpful.
> 
> Dan
> 
> 
> -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx 
> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraprojec
t.org
Dan,

First
> 
thanks for  your concern and actually  checking  the  files.


1) The  not  signed by a trusted signature is  on your end ,   see the
 [unknown]  at the end of this line:

gpg: Good signature from "Fedora (23)
> <fedora-23-primary@xxxxxxxxxxxxxxxxx>" [unknown]

That indicates the signature is  valid however is  NOT in your local
key-store as a  trusted key (aka Set Owner Trust is set to  unknown /
I do not know )


As a  add-on to Robert's reply:

2) the  part of  using a md5  from a security stance is a  no-go,
reason being  multi-fold
	* md5  is  known easy to spoof  -- kinda defeats the purpose of
using it  doesn't it.
	* sha256 is  irreversible crypto that takes  Owner / time-stamp and
source file and  verifies all three with the  generation and  check.
	
	* if you wish to have a  md5  for local use  running (sha256sum to
confirm ISOs are  in fact genuine)

	"sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso"
						
							and
	
	"sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso"
	
 							THEN

	''md5sum  {base_dir}/Fedora-Server-DVD-x86_64-23.iso  >
/some_local_use_hash_store"
	
							and

	"md5sum  {base_dir}/Fedora-Server-netinst-x86_64-23.iso >
/some_local_use_hash_store"

however for the reasons aforementioned the official project page will
not be  providing  md5sums for its official General Availability
release (or  any  release) ISOs sorry.

In addition failing to make available  md5sum helps us  prevent  being
on the unlucky end of  incidents like the folks that  provide Linux
Mint Back in February [1]



[1] http://blog.linuxmint.com/?p=2994


- ---Warm Regards ---
Corey Sheldon
P: +1 (310) 909 7672
PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

Disclaimer: This document, including attachments, is intended for the
person(s) named within and may contain confidential and/or legally
privileged information, and may occasionally include Intellectual
Property / Embargoed Content. it is request that all emails regardless
of topic or content are regarded in this manner. Unauthorized
disclosure, copying / distribution of this information may be unlawful
and is prohibited, including unsolicited Cc/Bcc. If you are not the
intended recipient, please disregard and destroy this message and if
the recipient is  known to you please inform them, and a return email
indicating a improper recipient IS requested so that I may remove you
from any lists, conversations such error may have created / allowed.
Use of OpenGPG keys are highly encouraged my keys can be found @
hkp://keys.gnupg.net & hkp://keys.fedoraproject.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EARYIAAYFAlcmCR0ACgkQrio19Q2QBZBngAD/eAijUyXzcD+VIRnQqZYQl4wO
+otlRctOWZaXD9kOYkYA/3UO3FzBCqvhscmU8yf7UVuT9ik6DEGr4uzeJymwgcEI
=ybjw
-----END PGP SIGNATURE-----
--
websites mailing list
websites@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/websites@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux