On 11/18/2009 01:10 PM, susmit shannigrahi wrote: Refer to https://www.redhat.com/archives/fedora-test-list/2009-November/msg00820.html Rahul

Allen Kistler wrote: That thread is on the mark. The fix that Jesse is referring to is likely that we'll add some text to the *CHECKSUM files explaining what checksum tool to use for verification, perhaps pointing to the page at https://fedoraproject.org/verify and some large print that says "USE sha256sum TO VERIFY THE CHECKSUMS, DESPITE ANY PGP 'Hash:' LINE YOU MAY SEE AND THINK YOU UNDERSTAND." :) Unfortunately, many, many people confuse the 'Hash: SHA1' line which is part of the PGP signature with the SHA256 checksum data that is in the *CHECHKSUM files. It would almost be better to just have detatched PGP signature files. That way, those who are not familiar with PGP would not ever see a 'Hash: SHA1' line to confuse them. Oddly, at some point the PGP signatures will be made using SHA256 as well and that will then match the checksum used for the .iso files. But as long as people conflate the PGP Hash header and the checksum used to create the clearsigned data, we'll have this problem. We've gotten a _lot_ of this question at the webmaster address. I never realized how many people made the flawed assumption that the PGP Hash: header had anything to do with the checksum data in the files. Please spread the message as much as possible that they are NOT related in ANY way. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Truth is like a well-known whore. Everybody knows her but it's embarrassing to meet her in the street. -- Wolfgang Borchert

susmit shannigrahi wrote: For the benefit of context (mind any line wrap): "Hash: SHA1" refers to the hash in the PGP signature, not the hash values of the iso images. The way digital signatures work, first you take a hash of the message, which is this part: So what hash do you take of that? SHA1 The message body could be a uuencoded jpg of your mother kissing Mickey Mouse at Disneyland. It doesn't matter. If it's digitally signed, there will be a line that says "Hash: SHA1" just after the start of the message delimiter. Don't be distracted by the fact that the message in this case is a list of some other hash values, which happen to be SHA256. After taking the hash of the message, you encrypt it with the private key of the signer. That's the signature included within the signature delimiters. The signer in this case is Fedora 12 itself with key ID 57bbccba. You can get the public GPG keys (for verification) from https://fedoraproject.org/static/fedora.gpg HTH I don't subscribe to fedora-freemedia-list, so feel free to repost this response there. Apologies to your mother, if required, as well.