Sunday, May 1, 2016

Re: Download verification broken

Hash: SHA256

On 04/27/2016 09:10 PM, Dan Haskell wrote:
> Downloaded iso of the server edition. Tried to verify following
> instructions and failed. First your key is not certified.
>> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA key
> ID 34EC9CBA gpg: Good signature from "Fedora (23)
> <>" [unknown] gpg: WARNING: This
> key is not certified with a trusted signature! gpg: There
> is no indication that the signature belongs to the owner. Primary
> key fingerprint: EF45 5106 80FB 0232 6B04 5AFB 3247 4CF8 34EC
> 9CBA
> Second, it appears to be the wrong key(?)
>> ls
> Fedora-Server-23-x86_64-CHECKSUM Fedora-Server-DVD-x86_64-23.iso
>> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
> Fedora-Server-DVD-x86_64-23.iso: OK sha256sum:
> Fedora-Server-netinst-x86_64-23.iso: No such file or directory
> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read sha256sum:
> WARNING: 20 lines are improperly formatted sha256sum: WARNING: 1
> listed file could not be read
> Couldn't you just provide a md5sum instead? The gpg stuff is cool
> and all, but when it fails... give us something to work with.
> Clicked on support, but it's just a link to a BUNCH of forums. Not
> helpful.
> Dan
> -- websites mailing list


thanks for your concern and actually checking the files.

1) The not signed by a trusted signature is on your end , see the
[unknown] at the end of this line:

gpg: Good signature from "Fedora (23)
> <>" [unknown]

That indicates the signature is valid however is NOT in your local
key-store as a trusted key (aka Set Owner Trust is set to unknown /
I do not know )

As a add-on to Robert's reply:

2) the part of using a md5 from a security stance is a no-go,
reason being multi-fold
* md5 is known easy to spoof -- kinda defeats the purpose of
using it doesn't it.
* sha256 is irreversible crypto that takes Owner / time-stamp and
source file and verifies all three with the generation and check.

* if you wish to have a md5 for local use running (sha256sum to
confirm ISOs are in fact genuine)

"sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso"


"sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso"


''md5sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso >


"md5sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso >

however for the reasons aforementioned the official project page will
not be providing md5sums for its official General Availability
release (or any release) ISOs sorry.

In addition failing to make available md5sum helps us prevent being
on the unlucky end of incidents like the folks that provide Linux
Mint Back in February [1]


- ---Warm Regards ---
Corey Sheldon
P: +1 (310) 909 7672
PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)

Disclaimer: This document, including attachments, is intended for the
person(s) named within and may contain confidential and/or legally
privileged information, and may occasionally include Intellectual
Property / Embargoed Content. it is request that all emails regardless
of topic or content are regarded in this manner. Unauthorized
disclosure, copying / distribution of this information may be unlawful
and is prohibited, including unsolicited Cc/Bcc. If you are not the
intended recipient, please disregard and destroy this message and if
the recipient is known to you please inform them, and a return email
indicating a improper recipient IS requested so that I may remove you
from any lists, conversations such error may have created / allowed.
Use of OpenGPG keys are highly encouraged my keys can be found @
hkp:// & hkp://
Version: GnuPG v2

websites mailing list

No comments:

Post a Comment