Re: Download verification broken

[Corey Sheldon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 05/01/2016 09:48 AM, Corey Sheldon wrote:
> On 04/27/2016 09:10 PM, Dan Haskell wrote:
>> Downloaded iso of the server edition. Tried to verify following 
>> instructions and failed. First your key is not certified.
> 
>>> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
>> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA
>> key ID 34EC9CBA gpg: Good signature from "Fedora (23) 
>> " [unknown] gpg: WARNING:
>> This key is not certified with a trusted signature! gpg:
>> There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: EF45 5106 80FB 0232 6B04  5AFB 3247 4CF8
>> 34EC 9CBA
> 
>> Second, it appears to be the wrong key(?)
> 
>>> ls
>> Fedora-Server-23-x86_64-CHECKSUM
>> Fedora-Server-DVD-x86_64-23.iso
> 
>>> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
>> Fedora-Server-DVD-x86_64-23.iso: OK sha256sum: 
>> Fedora-Server-netinst-x86_64-23.iso: No such file or directory 
>> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read
>> sha256sum: WARNING: 20 lines are improperly formatted sha256sum:
>> WARNING: 1 listed file could not be read
> 
> 
>> Couldn't you just provide a md5sum instead? The gpg stuff is
>> cool and all, but when it fails... give us something to work
>> with. Clicked on support, but it's just a link to a BUNCH of
>> forums. Not helpful.
> 
>> Dan
> 
> 
>> -- websites mailing list websites@lists.fedoraproject.org 
>> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproje
c
>
>> 
t.org
> Dan,
> 
> First
> 
> thanks for  your concern and actually  checking  the  files.
> 
> 
> 1) The  not  signed by a trusted signature is  on your end ,   see
> the [unknown]  at the end of this line:
> 
> gpg: Good signature from "Fedora (23)
>> " [unknown]
> 
> That indicates the signature is  valid however is  NOT in your
> local key-store as a  trusted key (aka Set Owner Trust is set to
> unknown / I do not know )
> 
> 
> As a  add-on to Robert's reply:
> 
> 2) the  part of  using a md5  from a security stance is a  no-go, 
> reason being  multi-fold * md5  is  known easy to spoof  -- kinda
> defeats the purpose of using it  doesn't it. * sha256 is
> irreversible crypto that takes  Owner / time-stamp and source file
> and  verifies all three with the  generation and  check.  * if you
> wish to have a  md5  for local use  running (sha256sum to confirm
> ISOs are  in fact genuine)
> 
> "sha256sum {base_dir}/Fedora-Server-DVD-x86_64-23.iso"  and  
> "sha256sum {base_dir}/Fedora-Server-netinst-x86_64-23.iso"  THEN
> 
> ''md5sum  {base_dir}/Fedora-Server-DVD-x86_64-23.iso  > 
> /some_local_use_hash_store"  and
> 
> "md5sum  {base_dir}/Fedora-Server-netinst-x86_64-23.iso > 
> /some_local_use_hash_store"
> 
> however for the reasons aforementioned the official project page
> will not be  providing  md5sums for its official General
> Availability release (or  any  release) ISOs sorry.
> 
> In addition failing to make available  md5sum helps us  prevent
> being on the unlucky end of  incidents like the folks that  provide
> Linux Mint Back in February [1]
> 
> 
> 
> [1] http://blog.linuxmint.com/?p=2994
> 
> 
> ---Warm Regards --- Corey Sheldon P: +1 (310) 909 7672 PGP:
> B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora) 
> https://gist.github.com/linux-modder/ac5dc6fa211315c633c9
> 
> Disclaimer: This document, including attachments, is intended for
> the person(s) named within and may contain confidential and/or
> legally privileged information, and may occasionally include
> Intellectual Property / Embargoed Content. it is request that all
> emails regardless of topic or content are regarded in this manner.
> Unauthorized disclosure, copying / distribution of this information
> may be unlawful and is prohibited, including unsolicited Cc/Bcc. If
> you are not the intended recipient, please disregard and destroy
> this message and if the recipient is  known to you please inform
> them, and a return email indicating a improper recipient IS
> requested so that I may remove you from any lists, conversations
> such error may have created / allowed. Use of OpenGPG keys are
> highly encouraged my keys can be found @ hkp://keys.gnupg.net &
> hkp://keys.fedoraproject.org -- websites mailing list 
> websites@lists.fedoraproject.org 
> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraprojec
t.org
>
> 
- -- 
- --- Warm Regards ---
Corey Sheldon
P: +1 (310) 909 7672
PGP: B54B7228 (keybase) | 5A88E539 (personal) | D2264944 (fedora)
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

Disclaimer: This document, including attachments, is intended for the
person(s) named within and may contain confidential and/or legally
privileged information, and may occasionally include Intellectual
Property / Embargoed Content. it is request that all emails regardless
of topic or content are regarded in this manner. 

Re: Download verification broken

[Robert Mayr]

2016-04-28 3:10 GMT+02:00 Dan Haskell :

> Downloaded iso of the server edition. Tried to verify following
> instructions and failed. First your key is not certified.
>
> > gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
> gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA key ID
> 34EC9CBA
> gpg: Good signature from "Fedora (23) "
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: EF45 5106 80FB 0232 6B04  5AFB 3247 4CF8 34EC 9CBA
>
> Second, it appears to be the wrong key(?)
>
> > ls
> Fedora-Server-23-x86_64-CHECKSUM  Fedora-Server-DVD-x86_64-23.iso
>
> > sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
> Fedora-Server-DVD-x86_64-23.iso: OK
> sha256sum: Fedora-Server-netinst-x86_64-23.iso: No such file or directory
> Fedora-Server-netinst-x86_64-23.iso: FAILED open or read
> sha256sum: WARNING: 20 lines are improperly formatted
> sha256sum: WARNING: 1 listed file could not be read
>
>
> Couldn't you just provide a md5sum instead? The gpg stuff is cool and all,
> but when it fails... give us something to work with. Clicked on support,
> but it's just a link to a BUNCH of forums. Not helpful.
>
> Dan
>
>
> --
> websites mailing list
> websites@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproject.org



You have a good signature, so the ISO id ok. The rest only says the key
doesn't have a certified signature, AFAIK we will try to include some text
message in the future to give users a better resume, but won't provide
md5sum.
Regards.

-- 
Robert Mayr
(robyduck)
--
websites mailing list
websites@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproject.org

Download verification broken

[Dan Haskell]

Downloaded iso of the server edition. Tried to verify following 
instructions and failed. First your key is not certified.


> gpg --verify-files Fedora-Server-23-x86_64-CHECKSUM
gpg: Signature made Fri 30 Oct 2015 01:31:05 PM PDT using RSA key ID 
34EC9CBA
gpg: Good signature from "Fedora (23) 
" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the 
owner.

Primary key fingerprint: EF45 5106 80FB 0232 6B04  5AFB 3247 4CF8 34EC 9CBA

Second, it appears to be the wrong key(?)

> ls
Fedora-Server-23-x86_64-CHECKSUM  Fedora-Server-DVD-x86_64-23.iso

> sha256sum -c Fedora-Server-23-x86_64-CHECKSUM
Fedora-Server-DVD-x86_64-23.iso: OK
sha256sum: Fedora-Server-netinst-x86_64-23.iso: No such file or directory
Fedora-Server-netinst-x86_64-23.iso: FAILED open or read
sha256sum: WARNING: 20 lines are improperly formatted
sha256sum: WARNING: 1 listed file could not be read


Couldn't you just provide a md5sum instead? The gpg stuff is cool and 
all, but when it fails... give us something to work with. Clicked on 
support, but it's just a link to a BUNCH of forums. Not helpful.


Dan


--
websites mailing list
websites@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/websites@lists.fedoraproject.org