susmit shannigrahi wrote:
Can you please help with this?
Thanks.
---------- Forwarded message ----------
From: Jeff Shepherd
Date: Wed, Nov 18, 2009 at 1:07 PM
Is it just me, or are the checksums to verify the Fedora 12 discs
incorrectly listed here on these pages:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
The page says that it's SHA1, but my SHA1 looks nothing like those and
the SHA256 matches exactly. I've verified this on Windows & Fedora
11.
At first I thought I had a bad download, so I downloaded again, only
to find that these are not SHA1 checksums, they're SHA256.
Can anyone else confirm? Can anyone shed light as to why the page
says SHA1 when it's SHA256? How do we go about getting this
corrected?
For the benefit of context (mind any line wrap):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7 *Fedora-12-i386-DVD.iso
2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace
*Fedora-12-i386-disc1.iso
ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7
*Fedora-12-i386-disc2.iso
8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36
*Fedora-12-i386-disc3.iso
07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b
*Fedora-12-i386-disc4.iso
dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb
*Fedora-12-i386-disc5.iso
128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9
*Fedora-12-i386-netinst.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQIVAwUBSvurkZ0cw0hXu8y6AQIdQw//WuT1eE5LUzN3tBnBJzMsvD90/gz1kM0A
4qtM+SSRjrx0MwkVkP5spO/xfkk7sncTE51Bl88lDAvpC/00b+u3MQEya9aApZyT
CmggKB/bmozQyX3C7HbXwUIMrCRmNVkYCkgQKLQd/MK+r73dXCuHNpyfeBSuZGsy
iCpX003Wu6U92jlwljBkgU+FrgJwAmr6b7hEurQaf2fqmN1d4Nh+llwqOEIykd5A
Ci1ApI05NBEX/z9KG+WR+YtCuRqUwD6U5SrjBSQD86NGLcsJ49gBrbu1um3cUvlC
YRvCjT4zDBn32au+pBKXjlQf4TrCt3SooYnmf0D+1iefrN0Sijpft+bQ26poSjkp
pj+wnVkUg2shfm+0imiPIGos6cJRmj0o4w3CzyDs6sOIcIcYB4ohyFasczsjYT40
LSCcKBFZXNEw8OogcoPZpp79Yr7iX0C0JQ45xgzPrDegKSLVkTvpXyHCbmd21Zkz
oPu2kFoR+tEVPfESVFqSqnYJC/TtwokEHbaVCUEpP44L3PpGiVTqK/uZnReQRbLM
ZuMtXRa2j3i0iSlEKfAS0L+9mvWzGzp8UOQzH7UyZgb0RKfVRYcHW0oXpfMqFD9C
IA/0pgDQNnQRq3OPxnjHfNKAtezfNBaaU45xA9gA2olzzVrhzgXKjn3MRK2tyrlA
XpaHoVKUVFU=
=HttN
-----END PGP SIGNATURE-----
"Hash: SHA1" refers to the hash in the PGP signature, not the hash
values of the iso images. The way digital signatures work, first you
take a hash of the message, which is this part:
f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7
*Fedora-12-i386-DVD.iso
2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace
*Fedora-12-i386-disc1.iso
ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7
*Fedora-12-i386-disc2.iso
8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36
*Fedora-12-i386-disc3.iso
07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b
*Fedora-12-i386-disc4.iso
dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb
*Fedora-12-i386-disc5.iso
128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9
*Fedora-12-i386-netinst.iso
So what hash do you take of that? SHA1
The message body could be a uuencoded jpg of your mother kissing Mickey
Mouse at Disneyland. It doesn't matter. If it's digitally signed,
there will be a line that says "Hash: SHA1" just after the start of the
message delimiter. Don't be distracted by the fact that the message in
this case is a list of some other hash values, which happen to be SHA256.
After taking the hash of the message, you encrypt it with the private
key of the signer. That's the signature included within the signature
delimiters. The signer in this case is Fedora 12 itself with key ID
57bbccba. You can get the public GPG keys (for verification) from
https://fedoraproject.org/static/fedora.gpg
HTH
I don't subscribe to fedora-freemedia-list, so feel free to repost this
response there. Apologies to your mother, if required, as well.