verifying the boot.iso for fedora 15
Joel Rees
joel.rees at gmail.com
Wed Apr 6 02:22:18 UTC 2011
Okay, Trying to verify the alpha netinst.iso, I seem to have forgotten
the way these files work, again.
----
gpg --verify Fedora-15-Alpha-i386-CHECKSUM Fedora-15-Alpha-i386-netinst.iso
gpg: not a detached signature
---
This is telling me that the CHECKSUM combines the signature and the checksum.
I looked inside the CHECKSUM (actually seeing the contents instead of
just checking that there was something there). The list of files and
checksums is in there with the signature. That's why it's not a
detached signature.
On Wed, Apr 6, 2011 at 8:58 AM, Joel Rees <joel.rees at gmail.com> wrote:
> On Wed, Apr 6, 2011 at 12:14 AM, Ed Greshko <Ed.Greshko at greshko.com> wrote:
>> On 04/05/2011 11:12 PM, Ed Greshko wrote:
>>> On 04/05/2011 10:43 PM, Joel Rees wrote:
>>>> How does one verify boot.iso for the alpha version?
>>>>
>>>> I've imported the key file, but I don't see a proper signature or an
>>>> sha256 checksum.
>>> I downloaded from a mirror and it was there....
>>>
>>> e.g.
>>> ftp://ftp.isu.edu.tw:0/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM
>>>
>>
>> Sorry.... That should have read...
>>
>> ftp://ftp.isu.edu.tw/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM
>
> Hmm.
>
> I see that I was looking in a different place. I was looking at
>
> linux/development/15/i386/os/images/boot.iso , and this is
>
> linux/releases/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-netinst.iso
> (or the DVD).
>
> Okay, just for fun, I played games linking (symbolic) boot.iso to
> Fedora-15-Alpha-i386.iso and gpg says this:
That would have been
----
ln -s boot.iso Fedora-15-Alpha-i386.iso
gpg --verify Fedora-15-Alpha-i386-CHECKSUM
----
> gpg: Signature made Thu 03 Mar 2011 12:34:51 PM JST using RSA key ID 069C8460
> gpg: Good signature from "Fedora (15) <fedora at fedoraproject.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 25DB B54B DED7 0987 F4C1 0042 B4EB F579 069C 8460
which tells me, that the signature on the checksums is valid. So, now
I need to actually run sha256sum or openssl sha256 on the file and
compare the signatures.
sha256sum Fedora-15-Alpha-i386.iso > checksum15.text
vi Fedora-15-Alpha-i386-CHECKSUM checksum15.text
and yy the checksum from the one and p it in the other and eyeball it
-- they match, and now I know they match.
Yep. I've forgotten how to use gpg again. I hate getting old.
> but I don't find either the key or the fingerprint at
> https://fedoraproject.org/keys.
>
> I guess I'm going to download the netinst iso now.
For what it's worth, I cmp-ed the boot.iso and the netinst.iso and
they are definitiely not the same. Not sure whether I expected them to
be.
So, now I have a netinst image with a very high probability of being
valid, and I go back and look at gPXE and the BFO stuff, and I'm more
than half thinking I want to go that route instead. Maybe.
Sorry for the noise, but I'm going to post this, to leave myself
another note. Maybe I'll someday get myself to remember that gpg does
not automatically look at the file list and run the checksum step.
Joel Rees
More information about the users
mailing list