-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/01/2016 09:48 AM, Corey Sheldon wrote:
On 04/27/2016 09:10 PM, Dan Haskell wrote:
> Downloaded iso of the server edition. Tried to verify following
> instructions and failed. First your key is not certified.
>> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA
> key ID 34EC9CBA gpg: Good signature from "Fedora (23)
> <fedora-23-primary(a)fedoraproject.org>" [unknown] gpg: WARNING:
> This key is not certified with a trusted signature! gpg:
> There is no indication that the signature belongs to the owner.
> Primary key fingerprint: EF45 5106 80FB 0232 6B04 5AFB 3247 4CF8
> 34EC 9CBA
> Second, it appears to be the wrong key(?)
>> ls
> Fedora-Server-23-x86_64-CHECKSUM
> Fedora-Server-DVD-x86_64-23.iso
>> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
> Fedora-Server-DVD-x86_64-23.iso: OK sha256sum:
> Fedora-Server-netinst-x86_64-23.iso: No such file or directory
> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read
> sha256sum: WARNING: 20 lines are improperly formatted sha256sum:
> WARNING: 1 listed file could not be read
> Couldn't you just provide a md5sum instead? The gpg stuff is
> cool and all, but when it fails... give us something to work
> with. Clicked on support, but it's just a link to a BUNCH of
> forums. Not helpful.
> Dan
> -- websites mailing list websites(a)lists.fedoraproject.org
>
http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproje c
>
t.org
Dan,
First
thanks for your concern and actually checking the files.
1) The not signed by a trusted signature is on your end , see
the [unknown] at the end of this line:
gpg: Good signature from "Fedora (23)
> <fedora-23-primary(a)fedoraproject.org>" [unknown]
That indicates the signature is valid however is NOT in your
local key-store as a trusted key (aka Set Owner Trust is set to
unknown / I do not know )
As a add-on to Robert's reply:
2) the part of using a md5 from a security stance is a no-go,
reason being multi-fold * md5 is known easy to spoof -- kinda
defeats the purpose of using it doesn't it. * sha256 is
irreversible crypto that takes Owner / time-stamp and source file
and verifies all three with the generation and check. * if you
wish to have a md5 for local use running (sha256sum to confirm
ISOs are in fact genuine)
"sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso" and
"sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso" THEN
''md5sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso >
/some_local_use_hash_store" and
"md5sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso >
/some_local_use_hash_store"
however for the reasons aforementioned the official project page
will not be providing md5sums for its official General
Availability release (or any release) ISOs sorry.
In addition failing to make available md5sum helps us prevent
being on the unlucky end of incidents like the folks that provide
Linux Mint Back in February [1]
[1]
http://blog.linuxmint.com/?p=2994
---Warm Regards --- Corey Sheldon P: +1 (310) 909 7672 PGP:
B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9
Disclaimer: This document, including attachments, is intended for
the person(s) named within and may contain confidential and/or
legally privileged information, and may occasionally include
Intellectual Property / Embargoed Content. it is request that all
emails regardless of topic or content are regarded in this manner.
Unauthorized disclosure, copying / distribution of this information
may be unlawful and is prohibited, including unsolicited Cc/Bcc. If
you are not the intended recipient, please disregard and destroy
this message and if the recipient is known to you please inform
them, and a return email indicating a improper recipient IS
requested so that I may remove you from any lists, conversations
such error may have created / allowed. Use of OpenGPG keys are
highly encouraged my keys can be found @
hkp://keys.gnupg.net &
hkp://keys.fedoraproject.org -- websites mailing list
websites(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraprojec t.org
- --
- --- Warm Regards ---
Corey Sheldon
P: +1 (310) 909 7672
PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9
Disclaimer: This document, including attachments, is intended for the
person(s) named within and may contain confidential and/or legally
privileged information, and may occasionally include Intellectual
Property / Embargoed Content. it is request that all emails regardless
of topic or content are regarded in this manner. Unauthorized
disclosure, copying / distribution of this information may be unlawful
and is prohibited, including unsolicited Cc/Bcc. If you are not the
intended recipient, please disregard and destroy this message and if the
recipient is known to you please inform them, and a return email
indicating a improper recipient IS requested so that I may remove you
from any lists, conversations such error may have created / allowed. Use
of OpenGPG keys are highly encouraged my keys can be found @
hkp://keys.gnupg.net &
hkp://keys.fedoraproject.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EARYIAAYFAlcmCgkACgkQrio19Q2QBZC/0QEAwOabk3nSl/6Zcnj7exx48aAK
OWHN/0bmOKBH8APqCYkA/j72HSCluHyhAFuYG3SGppBo3V7iQyBOuhAfz9HgfogP
=tUbC
-----END PGP SIGNATURE-----