Sunday, May 1, 2016

Re: Download verification broken

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/01/2016 09:48 AM, Corey Sheldon wrote:
> On 04/27/2016 09:10 PM, Dan Haskell wrote:
>> Downloaded iso of the server edition. Tried to verify following
>> instructions and failed. First your key is not certified.
>
>>> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
>> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA
>> key ID 34EC9CBA gpg: Good signature from "Fedora (23)
>> <fedora-23-primary@fedoraproject.org>" [unknown] gpg: WARNING:
>> This key is not certified with a trusted signature! gpg:
>> There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: EF45 5106 80FB 0232 6B04 5AFB 3247 4CF8
>> 34EC 9CBA
>
>> Second, it appears to be the wrong key(?)
>
>>> ls
>> Fedora-Server-23-x86_64-CHECKSUM
>> Fedora-Server-DVD-x86_64-23.iso
>
>>> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
>> Fedora-Server-DVD-x86_64-23.iso: OK sha256sum:
>> Fedora-Server-netinst-x86_64-23.iso: No such file or directory
>> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read
>> sha256sum: WARNING: 20 lines are improperly formatted sha256sum:
>> WARNING: 1 listed file could not be read
>
>
>> Couldn't you just provide a md5sum instead? The gpg stuff is
>> cool and all, but when it fails... give us something to work
>> with. Clicked on support, but it's just a link to a BUNCH of
>> forums. Not helpful.
>
>> Dan
>
>
>> -- websites mailing list websites@lists.fedoraproject.org
>> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproje
c
>
>>
t.org
> Dan,
>
> First
>
> thanks for your concern and actually checking the files.
>
>
> 1) The not signed by a trusted signature is on your end , see
> the [unknown] at the end of this line:
>
> gpg: Good signature from "Fedora (23)
>> <fedora-23-primary@fedoraproject.org>" [unknown]
>
> That indicates the signature is valid however is NOT in your
> local key-store as a trusted key (aka Set Owner Trust is set to
> unknown / I do not know )
>
>
> As a add-on to Robert's reply:
>
> 2) the part of using a md5 from a security stance is a no-go,
> reason being multi-fold * md5 is known easy to spoof -- kinda
> defeats the purpose of using it doesn't it. * sha256 is
> irreversible crypto that takes Owner / time-stamp and source file
> and verifies all three with the generation and check. * if you
> wish to have a md5 for local use running (sha256sum to confirm
> ISOs are in fact genuine)
>
> "sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso" and
> "sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso" THEN
>
> ''md5sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso >
> /some_local_use_hash_store" and
>
> "md5sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso >
> /some_local_use_hash_store"
>
> however for the reasons aforementioned the official project page
> will not be providing md5sums for its official General
> Availability release (or any release) ISOs sorry.
>
> In addition failing to make available md5sum helps us prevent
> being on the unlucky end of incidents like the folks that provide
> Linux Mint Back in February [1]
>
>
>
> [1] http://blog.linuxmint.com/?p=2994
>
>
> ---Warm Regards --- Corey Sheldon P: +1 (310) 909 7672 PGP:
> B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)
> https://gist.github.com/linux-modder/ac5dc6fa211315c633c9
>
> Disclaimer: This document, including attachments, is intended for
> the person(s) named within and may contain confidential and/or
> legally privileged information, and may occasionally include
> Intellectual Property / Embargoed Content. it is request that all
> emails regardless of topic or content are regarded in this manner.
> Unauthorized disclosure, copying / distribution of this information
> may be unlawful and is prohibited, including unsolicited Cc/Bcc. If
> you are not the intended recipient, please disregard and destroy
> this message and if the recipient is known to you please inform
> them, and a return email indicating a improper recipient IS
> requested so that I may remove you from any lists, conversations
> such error may have created / allowed. Use of OpenGPG keys are
> highly encouraged my keys can be found @ hkp://keys.gnupg.net &
> hkp://keys.fedoraproject.org -- websites mailing list
> websites@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraprojec
t.org

>
>
- --
- --- Warm Regards ---
Corey Sheldon
P: +1 (310) 909 7672
PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

Disclaimer: This document, including attachments, is intended for the
person(s) named within and may contain confidential and/or legally
privileged information, and may occasionally include Intellectual
Property / Embargoed Content. it is request that all emails regardless
of topic or content are regarded in this manner. Unauthorized
disclosure, copying / distribution of this information may be unlawful
and is prohibited, including unsolicited Cc/Bcc. If you are not the
intended recipient, please disregard and destroy this message and if the
recipient is known to you please inform them, and a return email
indicating a improper recipient IS requested so that I may remove you
from any lists, conversations such error may have created / allowed. Use
of OpenGPG keys are highly encouraged my keys can be found @
hkp://keys.gnupg.net & hkp://keys.fedoraproject.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EARYIAAYFAlcmCgkACgkQrio19Q2QBZC/0QEAwOabk3nSl/6Zcnj7exx48aAK
OWHN/0bmOKBH8APqCYkA/j72HSCluHyhAFuYG3SGppBo3V7iQyBOuhAfz9HgfogP
=tUbC
-----END PGP SIGNATURE-----
--
websites mailing list
websites@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproject.org

No comments:

Post a Comment