[This stuff may be obvious. But it wasn't to me, so I think that it ought to qualify as testing.] Problem summary: confused about release's GPG key. I downloaded the Fedora 18 Beta x86_64 Install DVD from here: <https://fedoraproject.org/get-prerelease> It told me to verify my download as per <https://fedoraproject.org/en/verify> I imported Fedora keys as that page suggested (in fact, I had all of them already). I downloaded the checksum for the .iso <https://fedoraproject.org/static/checksums/Fedora-18-Beta-x86_64-CHECKSUM> I verified the CHECKSUM file: $ gpg --verify-files *-CHECKSUM gpg: Signature made Thu 22 Nov 2012 11:13:47 PM EST using RSA key ID DE7F38BD gpg: Can't check signature: public key not found Notice: even though I imported the keys that I was told to, the necessary key was not there. The verify page says that key DE7F38BD is the Fedora 18 key. But my imports included gpg: key 22B3B81A: "Fedora (18) <fedora@xxxxxxxxxxxxxxxxx>" not changed gpg: key 34E166FA: "Fedora Secondary Arch (18) <fedora@xxxxxxxxxxxxxxxxx>" not changed ===> Which is the real Fedora 18 key? Why isn't this documented better? When I do the specified checksum command, I get scary warnings: $ sha256sum -c *-CHECKSUM Fedora-18-Beta-x86_64-DVD.iso: OK sha256sum: Fedora-18-Beta-x86_64-netinst.iso: No such file or directory Fedora-18-Beta-x86_64-netinst.iso: FAILED open or read sha256sum: WARNING: 20 lines are improperly formatted sha256sum: WARNING: 1 listed file could not be read The warning about improperly formatted lines is clearly because fo the GPG stuff. ===> Should we not have a version of sha256 that knows how to deal with the gpg signature? -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
