-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/01/2016 09:48 AM, Corey Sheldon wrote: > On 04/27/2016 09:10 PM, Dan Haskell wrote: >> Downloaded iso of the server edition. Tried to verify following >> instructions and failed. First your key is not certified. > >>> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM >> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA >> key ID 34EC9CBA gpg: Good signature from "Fedora (23) >> <fedora-23-primary@xxxxxxxxxxxxxxxxx>" [unknown] gpg: WARNING: >> This key is not certified with a trusted signature! gpg: >> There is no indication that the signature belongs to the owner. >> Primary key fingerprint: EF45 5106 80FB 0232 6B04 5AFB 3247 4CF8 >> 34EC 9CBA > >> Second, it appears to be the wrong key(?) > >>> ls >> Fedora-Server-23-x86_64-CHECKSUM >> Fedora-Server-DVD-x86_64-23.iso > >>> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM >> Fedora-Server-DVD-x86_64-23.iso: OK sha256sum: >> Fedora-Server-netinst-x86_64-23.iso: No such file or directory >> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read >> sha256sum: WARNING: 20 lines are improperly formatted sha256sum: >> WARNING: 1 listed file could not be read > > >> Couldn't you just provide a md5sum instead? The gpg stuff is >> cool and all, but when it fails... give us something to work >> with. Clicked on support, but it's just a link to a BUNCH of >> forums. Not helpful. > >> Dan > > >> -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx >> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproje c > >> t.org > Dan, > > First > > thanks for your concern and actually checking the files. > > > 1) The not signed by a trusted signature is on your end , see > the [unknown] at the end of this line: > > gpg: Good signature from "Fedora (23) >> <fedora-23-primary@xxxxxxxxxxxxxxxxx>" [unknown] > > That indicates the signature is valid however is NOT in your > local key-store as a trusted key (aka Set Owner Trust is set to > unknown / I do not know ) > > > As a add-on to Robert's reply: > > 2) the part of using a md5 from a security stance is a no-go, > reason being multi-fold * md5 is known easy to spoof -- kinda > defeats the purpose of using it doesn't it. * sha256 is > irreversible crypto that takes Owner / time-stamp and source file > and verifies all three with the generation and check. * if you > wish to have a md5 for local use running (sha256sum to confirm > ISOs are in fact genuine) > > "sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso" and > "sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso" THEN > > ''md5sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso > > /some_local_use_hash_store" and > > "md5sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso > > /some_local_use_hash_store" > > however for the reasons aforementioned the official project page > will not be providing md5sums for its official General > Availability release (or any release) ISOs sorry. > > In addition failing to make available md5sum helps us prevent > being on the unlucky end of incidents like the folks that provide > Linux Mint Back in February [1] > > > > [1] http://blog.linuxmint.com/?p=2994 > > > ---Warm Regards --- Corey Sheldon P: +1 (310) 909 7672 PGP: > B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora) > https://gist.github.com/linux-modder/ac5dc6fa211315c633c9 > > Disclaimer: This document, including attachments, is intended for > the person(s) named within and may contain confidential and/or > legally privileged information, and may occasionally include > Intellectual Property / Embargoed Content. it is request that all > emails regardless of topic or content are regarded in this manner. > Unauthorized disclosure, copying / distribution of this information > may be unlawful and is prohibited, including unsolicited Cc/Bcc. If > you are not the intended recipient, please disregard and destroy > this message and if the recipient is known to you please inform > them, and a return email indicating a improper recipient IS > requested so that I may remove you from any lists, conversations > such error may have created / allowed. Use of OpenGPG keys are > highly encouraged my keys can be found @ hkp://keys.gnupg.net & > hkp://keys.fedoraproject.org -- websites mailing list > websites@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraprojec t.org > > - -- - --- Warm Regards --- Corey Sheldon P: +1 (310) 909 7672 PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora) https://gist.github.com/linux-modder/ac5dc6fa211315c633c9 Disclaimer: This document, including attachments, is intended for the person(s) named within and may contain confidential and/or legally privileged information, and may occasionally include Intellectual Property / Embargoed Content. it is request that all emails regardless of topic or content are regarded in this manner. Unauthorized disclosure, copying / distribution of this information may be unlawful and is prohibited, including unsolicited Cc/Bcc. If you are not the intended recipient, please disregard and destroy this message and if the recipient is known to you please inform them, and a return email indicating a improper recipient IS requested so that I may remove you from any lists, conversations such error may have created / allowed. Use of OpenGPG keys are highly encouraged my keys can be found @ hkp://keys.gnupg.net & hkp://keys.fedoraproject.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EARYIAAYFAlcmCgkACgkQrio19Q2QBZC/0QEAwOabk3nSl/6Zcnj7exx48aAK OWHN/0bmOKBH8APqCYkA/j72HSCluHyhAFuYG3SGppBo3V7iQyBOuhAfz9HgfogP =tUbC -----END PGP SIGNATURE----- -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/websites@xxxxxxxxxxxxxxxxxxxxxxx
