[This stuff may be obvious. But it wasn't to me, so I think that it ought
to qualify as testing.]
Problem summary: confused about release's GPG key.
I downloaded the Fedora 18 Beta x86_64 Install DVD from here:
<
https://fedoraproject.org/get-prerelease>
It told me to verify my download as per
<
https://fedoraproject.org/en/verify>
I imported Fedora keys as that page suggested (in fact, I had all of them
already).
I downloaded the checksum for the .iso
<
https://fedoraproject.org/static/checksums/Fedora-18-Beta-x86_64-CHECKSUM...
I verified the CHECKSUM file:
$ gpg --verify-files *-CHECKSUM
gpg: Signature made Thu 22 Nov 2012 11:13:47 PM EST using RSA key ID DE7F38BD
gpg: Can't check signature: public key not found
Notice: even though I imported the keys that I was told to, the necessary key was not
there.
The verify page says that key DE7F38BD is the Fedora 18 key. But my imports included
gpg: key 22B3B81A: "Fedora (18) <fedora(a)fedoraproject.org>" not changed
gpg: key 34E166FA: "Fedora Secondary Arch (18)
<fedora(a)fedoraproject.org>" not changed
===> Which is the real Fedora 18 key? Why isn't this documented better?
When I do the specified checksum command, I get scary warnings:
$ sha256sum -c *-CHECKSUM
Fedora-18-Beta-x86_64-DVD.iso: OK
sha256sum: Fedora-18-Beta-x86_64-netinst.iso: No such file or directory
Fedora-18-Beta-x86_64-netinst.iso: FAILED open or read
sha256sum: WARNING: 20 lines are improperly formatted
sha256sum: WARNING: 1 listed file could not be read
The warning about improperly formatted lines is clearly because fo the
GPG stuff.
===> Should we not have a version of sha256 that knows how to deal
with the gpg signature?