Neal H. Walfield via devel wrote: > The fundamental issue is the following. Fedora's verification recipe > instructs the user to use the signature to verify the checksum file, > and then to use sha256sum with the original checksum file to verify > the iso: > > gpgv --keyring ./fedora.gpg Fedora-Workstation-43-1.6-x86_64-CHECKSUM > sha256sum --ignore-missing -c Fedora-Workstation-43-1.6-x86_64-CHECKSUM > > This is wrong. sha256sum must use the verified data to verify the > iso.
You're right so far. The instructions are dangerously wrong.
> the above command does not work for me:
>
> $ gpgv --keyring ./fedora.gpg Fedora-Workstation-43-1.6-x86_64-CHECKSUM
> --output -
> gpgv: Packet type 63 not allowed in detached signature
> gpgv: no valid OpenPGP data found.
> gpgv: verify signatures failed: Unexpected error
The error message I get is "not a detached signature". This is because
gpgv thinks you want to verify a file named "--output". You must put
all options before the input filename:
gpgv --keyring ./fedora.gpg --output -
Fedora-Workstation-43-1.6-x86_64-CHECKSUM
> As far as I can tell, gpgv cannot be convinced to do the right thing.
Thank you for illustrating how confusing an idiosyncratic command line
syntax can be. Allowing parameters in any order would be more user-
friendly.
There are lots of other programs that also require parameters in a
particular order, and expect the user to know the correct syntax.
Sequoia is one of them. This does not work:
$ sq --signer-file ./fedora.gpg verify --cleartext
Fedora-Workstation-43-1.6-x86_64-CHECKSUM
error: unexpected argument '--signer-file' found
tip: a similar argument exists: '--password-file'
Usage: sq <COMMAND>
For more information, try '--help'.
> Another approach would be to directly sign the iso instead of the
> checksum file.
Absolutely. The sha256sum detour adds only complexity and pitfalls. A
detached signature of the ISO file would be much easier and safer for
the user.
See also:
https://gnupg.org/blog/20251226-cleartext-signatures.html
> Further, the user should still use the
> verified data, not the original file
A detached signature is verified against the whole data file, so
there's no difference between the verified data and the original file.
Only clearsigned text files have the problem that unsigned text can be
misunderstood as part of the signed message.
Björn Persson
pgpmAZLMNNbkp.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
