Here is what I did to get FAIL
1) Download checksum file.
2) Look in the file and see
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7 *Fedora-12-i386-DVD.iso
2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace *Fedora-12-i386-disc1.iso
ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7 *Fedora-12-i386-disc2.iso
8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36 *Fedora-12-i386-disc3.iso
07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b *Fedora-12-i386-disc4.iso
dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb *Fedora-12-i386-disc5.iso
128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9 *Fedora-12-i386-netinst.iso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQIVAwUBSvurkZ0cw0hXu8y6AQIdQw//WuT1eE5LUzN3tBnBJzMsvD90/gz1kM0A
4qtM+SSRjrx0MwkVkP5spO/xfkk7sncTE51Bl88lDAvpC/00b+u3MQEya9aApZyT
CmggKB/bmozQyX3C7HbXwUIMrCRmNVkYCkgQKLQd/MK+r73dXCuHNpyfeBSuZGsy
iCpX003Wu6U92jlwljBkgU+FrgJwAmr6b7hEurQaf2fqmN1d4Nh+llwqOEIykd5A
Ci1ApI05NBEX/z9KG+WR+YtCuRqUwD6U5SrjBSQD86NGLcsJ49gBrbu1um3cUvlC
YRvCjT4zDBn32au+pBKXjlQf4TrCt3SooYnmf0D+1iefrN0Sijpft+bQ26poSjkp
pj+wnVkUg2shfm+0imiPIGos6cJRmj0o4w3CzyDs6sOIcIcYB4ohyFasczsjYT40
LSCcKBFZXNEw8OogcoPZpp79Yr7iX0C0JQ45xgzPrDegKSLVkTvpXyHCbmd21Zkz
oPu2kFoR+tEVPfESVFqSqnYJC/TtwokEHbaVCUEpP44L3PpGiVTqK/uZnReQRbLM
ZuMtXRa2j3i0iSlEKfAS0L+9mvWzGzp8UOQzH7UyZgb0RKfVRYcHW0oXpfMqFD9C
IA/0pgDQNnQRq3OPxnjHfNKAtezfNBaaU45xA9gA2olzzVrhzgXKjn3MRK2tyrlA
XpaHoVKUVFU=
=HttN
-----END PGP SIGNATURE-----
and used sha1sum to verify the DVD you downloaded. It of course didn't work.
3) Use other sum tools (md5sum, sha224sum, sha256sum *HEY THAT GIVES ME THE RIGHT DATA*)
4) Get confused on the text and talk to Jesse Keating on IRC.
The SHA1 line is really part of the GPG signature and not the command used to generate the content. Work is being done to make this clearer in future CHECKSUM files but that won't hit til F13. Anyway, I figured a Blog post that google will remember for others will help in the future.
Edited to add: Checksums can be found via SSL here: https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
4 comments:
This is indeed confusing. There's a bug report here: https://bugzilla.redhat.com/show_bug.cgi?id=515715
You could also download with a metalink, which lists mirrors & a checksum that download clients will automatically use to verify the file.
I was falling into the same trap and downloaded the DVD twice. I don't see many pgp signatures so did not conclude that it is the pgp-key with the sha1 hash... possibly one could have also concluded by the length of the hashes that they are not sha1 bur common, how often does one see different hashes...
One way out would be to use sha256 for the signature as well I would say...
The interesting thing was that the Fedora 11 checksums were gpg signed with sha256 but it seems to have caused many problems with certain tools which weren't able to handle sha256 gpg. So it was moved back to SHA1 for better usability.
My guess is that there will be text in the future saying SHA256 checksums or such.
Post a Comment