#5585: Separate checksum file and signature to avoid incorrect usage (warnings)

Fedora Release Engineering rel-eng at fedoraproject.org
Fri Apr 12 09:05:18 UTC 2013 

#5585: Separate checksum file and signature to avoid incorrect usage (warnings)
-----------------------------+------------------------
 Reporter:  shaiton          |       Owner:  rel-eng@…
     Type:  task             |      Status:  new
Milestone:  Fedora 19 Alpha  |   Component:  koji
 Keywords:                   |  Blocked By:
 Blocking:                   |
-----------------------------+------------------------
 The actual procedure to test downloads is:
 https://fedoraproject.org/verify
 The signature is inside the checksum file.
 Which results in the following Warnings that could be miss read:

 {{{
 sha256sum: WARNING: 20 lines are improperly formatted
 sha256sum: WARNING: 7 listed files could not be read
 }}}

 There is two ways to avoid that:
 * Forcing people to check the sig by downloading the checksum.asc file,
 checking it with gpg, then run sha256 to check the output file.
 * Using a detached signature to make it faster for people that does not
 want to check the sig (and import it). The first solution could be used
 that way if we use clear-sig.

 Therefore, the idea would be to go for first solution. One would check the
 ISO by:
 * importing the Fedora signature: `curl
 https://fedoraproject.org/static/fedora.gpg | gpg --import`
 * downloading the checksum.asc file that would have been created with `gpg
 -s --clearsign checksum` for example.
 * checking the sig and exporting the checksum file `gpg checksum.asc`
 * doing the checksum test: `sha256sum -c checksum`

 The following process for people just wanting to check the file without
 the sig will just be dowloanding the ISO, computing the checksum manually
 on the file, and comparing the output manually on the online clear
 signature file.
 We will still have the warning for missing files, but at least the "20
 lines are improperly formatted" will be dropped and won't afraid people
 anymore.

-- 
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5585>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project

More information about the rel-eng mailing list