Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Todd Zullinger
tmz at pobox.com
Tue Nov 24 18:08:44 UTC 2009
Jeroen van Meeuwen wrote:
> The goal is, of course, to verify the .iso against what is listed as
> it's sha256sum. Whether the tools ultimately come from the same
> source doesn't matter. It should, though, be advisable to not
> include the sha246sum.exe on the mirrors, and only serve the file
> over http over ssl.
Indeed, that's the plan. It would be served up via SSL, just as the
GPG keys and *-CHECKSUM files are currently. That way, if someone
comes to https://fedoraproject.org/verify, they at least have our SSL
certificate as a starting point for trust.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chemistry is applied theology.
-- Augustus Owsley Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20091124/bac0ac85/attachment.bin
More information about the infrastructure
mailing list