On Mon, Nov 21, 2022 at 12:18 AM AV via test
<test(a)lists.fedoraproject.org>
wrote:
> On Sat, 2022-11-19 at 19:33 -0800, Samuel Sieb wrote:
> > On 11/18/22 16:11, AV via test wrote:
> > > Following info on
https://getfedora.org/en/security/
> > >
> > > gpgv --keyring ./fedora.gpg *-CHECKSUM
> > > gpgv: not a detached signature
> > >
> > > I think a little correction is warranted.
> >
> > You need to give more specific information about what exactly you
> > tried.
> > I followed the instructions there and it worked as expected.
>
> I discovered today what happened. I had downloaded both
> Fedora-Workstation and Fedora-Everything together with
> their CHECKSUMS into the same folder.
> If you then try "gpgv --keyring ./fedora.gpg *-CHECKSUM"
> it results in this error message.
> Remove one of the two from the folder and it works as
> expected.
> But as yet it is not clear to me why this error message
> meant for another situation.
>
Can you file a bug or a pull request at
https://pagure.io/fedora-web/websites/ ? I think the command should be
modified to:
$ gpgv --keyring ./fedora.gpg CHECKSUM_FILE
and the description should state to replace CHECKSUM_FILE with an actual
checksum file name. I agree that currently it's confusing because it looks
like it can handle processing multiple checksum files together (which is
the case for sha256sum, but not for gpgv).
Well, the point of the asterisk is to make it so you can just copy-and-
paste and run the command and it will find whatever (assumed single)
CHECKSUM file is present - it saves the user having to manually modify
the command.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha