On Mon, 2022-11-21 at 00:18 +0100, AV via test wrote:
On Sat, 2022-11-19 at 19:33 -0800, Samuel Sieb wrote:
> On 11/18/22 16:11, AV via test wrote:
> > Following info on
https://getfedora.org/en/security/
> >
> > gpgv --keyring ./fedora.gpg *-CHECKSUM
> > gpgv: not a detached signature
> >
> > I think a little correction is warranted.
>
> You need to give more specific information about what exactly you
> tried.
> I followed the instructions there and it worked as expected.
I discovered today what happened. I had downloaded both
Fedora-Workstation and Fedora-Everything together with
their CHECKSUMS into the same folder.
If you then try "gpgv --keyring ./fedora.gpg *-CHECKSUM"
it results in this error message.
Remove one of the two from the folder and it works as
expected.
But as yet it is not clear to me why this error message
meant for another situation.
I think this is probably the explanation, from `man gpgv`:
EXAMPLES
gpgv pgpfile
gpgv sigfile [datafile]
Verify the signature of the file. The second form is used for detached
signatures, where sigfile is the detached signature (either ASCII-armored or binary) and
datafile
contains the signed data; if datafile is "-" the signed data is
expected on stdin; if datafile is not given the name of the file holding the signed data
is constructed by
cutting off the extension (".asc", ".sig" or
".sign") from sigfile.
The command given in the instructions uses the wildcard (*-CHECKSUM)
because we don't know exactly what the file will be called. It's
expecting that wildcard to match just one file, the one we want to
check. But because you downloaded two to the same directory, the
wildcard matches both of them, so now you're passing two files to gpgv.
As the above says, passing two files makes it think you're giving it
one file with the signature only and one file with the signed data -
but then it parses the first file and realizes it *isn't* just a
signature, so it errors out.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net