Re: info to verify checksum files not correct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2022-11-21 at 00:18 +0100, AV via test wrote:
> On Sat, 2022-11-19 at 19:33 -0800, Samuel Sieb wrote:
> > On 11/18/22 16:11, AV via test wrote:
> > > Following info on https://getfedora.org/en/security/
> > > 
> > > gpgv --keyring ./fedora.gpg *-CHECKSUM
> > > gpgv: not a detached signature
> > > 
> > > I think a little correction is warranted.
> > 
> > You need to give more specific information about what exactly you
> > tried. 
> > I followed the instructions there and it worked as expected.
> 
> I discovered today what happened. I had downloaded both
> Fedora-Workstation and Fedora-Everything together with
> their CHECKSUMS into the same folder.
> If you then try "gpgv --keyring ./fedora.gpg *-CHECKSUM"
> it results in this error message.
> Remove one of the two from the folder and it works as
> expected.
> But as yet it is not clear to me why this error message
> meant for another situation.

I think this is probably the explanation, from `man gpgv`:

EXAMPLES
       gpgv pgpfile
       gpgv sigfile [datafile]
              Verify the signature of the file. The second form is used for detached signatures, where sigfile is the detached signature (either ASCII-armored or binary)  and  datafile
              contains the signed data; if datafile is "-" the signed data is expected on stdin; if datafile is not given the name of the file holding the signed data is constructed by
              cutting off the extension (".asc", ".sig" or ".sign") from sigfile.

The command given in the instructions uses the wildcard (*-CHECKSUM)
because we don't know exactly what the file will be called. It's
expecting that wildcard to match just one file, the one we want to
check. But because you downloaded two to the same directory, the
wildcard matches both of them, so now you're passing two files to gpgv.
As the above says, passing two files makes it think you're giving it
one file with the signature only and one file with the signed data -
but then it parses the first file and realizes it *isn't* just a
signature, so it errors out.
-- 
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net

_______________________________________________
test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux