D. Hugh Redelmeier <hugh <at> mimosa.com> writes:
The verify page says that key DE7F38BD is the Fedora 18 key. But my
imports
included
gpg: key 22B3B81A: "Fedora (18) <fedora <at>
fedoraproject.org>" not changed
gpg: key 34E166FA: "Fedora Secondary Arch (18) <fedora <at>
fedoraproject.org>" not changed
===> Which is the real Fedora 18 key? Why isn't this documented better?
I vaguely remember having this issue early in F18 development. I believe the
verify page initially had the 22B3B81A key but for some reason it had to be
changed. The DE7F38BD key is the current one. There's a bug
https://bugzilla.redhat.com/show_bug.cgi?id=861836 which has never been acted on.
When I do the specified checksum command, I get scary warnings:
$ sha256sum -c *-CHECKSUM
Fedora-18-Beta-x86_64-DVD.iso: OK
sha256sum: Fedora-18-Beta-x86_64-netinst.iso: No such file or directory
Fedora-18-Beta-x86_64-netinst.iso: FAILED open or read
sha256sum: WARNING: 20 lines are improperly formatted
sha256sum: WARNING: 1 listed file could not be read
The warning about improperly formatted lines is clearly because fo the
GPG stuff.
===> Should we not have a version of sha256 that knows how to deal
with the gpg signature?
The FAILED messages for missing files have always been there. The warning about
improperly formatted lines is recent. I filed
https://bugzilla.redhat.com/show_bug.cgi?id=733561 against this bug it was
closed as NOTABUG due to concerns that blocking that warning could cause
security issues.