Can you please help with this? Thanks.
---------- Forwarded message ---------- From: Jeff Shepherd hummdis@gmail.com Date: Wed, Nov 18, 2009 at 1:07 PM Subject: [Fedora-freemedia-list] SHA1 vs SHA256... To: fedora-freemedia-list@redhat.com
Is it just me, or are the checksums to verify the Fedora 12 discs incorrectly listed here on these pages:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
The page says that it's SHA1, but my SHA1 looks nothing like those and the SHA256 matches exactly. I've verified this on Windows & Fedora 11.
At first I thought I had a bad download, so I downloaded again, only to find that these are not SHA1 checksums, they're SHA256.
Can anyone else confirm? Can anyone shed light as to why the page says SHA1 when it's SHA256? How do we go about getting this corrected?
Thanks! Jeff
-- Jeff Shepherd hummdis@gmail.com
Scott Adams - "Men live in a fantasy world. I know this because I am one, and I actually receive my mail there."
Ogden Nash - "The trouble with a kitten is that when it grows up, it's always a cat."
-- Fedora-freemedia-list mailing list Fedora-freemedia-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-freemedia-list
On 11/18/2009 01:10 PM, susmit shannigrahi wrote:
Can you please help with this? Thanks.
---------- Forwarded message ---------- From: Jeff Shepherd hummdis@gmail.com Date: Wed, Nov 18, 2009 at 1:07 PM Subject: [Fedora-freemedia-list] SHA1 vs SHA256... To: fedora-freemedia-list@redhat.com
Is it just me, or are the checksums to verify the Fedora 12 discs incorrectly listed here on these pages:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
Refer to
https://www.redhat.com/archives/fedora-test-list/2009-November/msg00820.html
Rahul
Rahul Sundaram wrote:
On 11/18/2009 01:10 PM, susmit shannigrahi wrote:
Can you please help with this? Thanks.
---------- Forwarded message ---------- From: Jeff Shepherd Date: Wed, Nov 18, 2009 at 1:07 PM Subject: [Fedora-freemedia-list] SHA1 vs SHA256... To: fedora-freemedia-list@redhat.com
Is it just me, or are the checksums to verify the Fedora 12 discs incorrectly listed here on these pages:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
Refer to
https://www.redhat.com/archives/fedora-test-list/2009-November/msg00820.html
I think that thread is talking about some other page than the one that confused Jeff. In particular, this thread refers to changing some string value on a page from "SHA1" to "SHA256."
1. If you alter a GPG-signed message, you've just screwed the signature, since most of the value of the signature comes from being able to verify that no one has changed the message.
2. Maybe it hasn't replicated, but I still see "SHA1" when I look at the pages Jeff referenced. And BTW that's a good thing.
Or am I the one confused? I'm looking at only those pages Jeff lists above.
Allen Kistler wrote:
I think that thread is talking about some other page than the one that confused Jeff. In particular, this thread refers to changing some string value on a page from "SHA1" to "SHA256."
- If you alter a GPG-signed message, you've just screwed the
signature, since most of the value of the signature comes from being able to verify that no one has changed the message.
- Maybe it hasn't replicated, but I still see "SHA1" when I look at
the pages Jeff referenced. And BTW that's a good thing.
Or am I the one confused? I'm looking at only those pages Jeff lists above.
That thread is on the mark. The fix that Jesse is referring to is likely that we'll add some text to the *CHECKSUM files explaining what checksum tool to use for verification, perhaps pointing to the page at https://fedoraproject.org/verify and some large print that says "USE sha256sum TO VERIFY THE CHECKSUMS, DESPITE ANY PGP 'Hash:' LINE YOU MAY SEE AND THINK YOU UNDERSTAND." :)
Unfortunately, many, many people confuse the 'Hash: SHA1' line which is part of the PGP signature with the SHA256 checksum data that is in the *CHECHKSUM files. It would almost be better to just have detatched PGP signature files. That way, those who are not familiar with PGP would not ever see a 'Hash: SHA1' line to confuse them.
Oddly, at some point the PGP signatures will be made using SHA256 as well and that will then match the checksum used for the .iso files. But as long as people conflate the PGP Hash header and the checksum used to create the clearsigned data, we'll have this problem.
We've gotten a _lot_ of this question at the webmaster address. I never realized how many people made the flawed assumption that the PGP Hash: header had anything to do with the checksum data in the files.
Please spread the message as much as possible that they are NOT related in ANY way.
Hi
i am vivek from Pune workking for Hp india will u please tell me what the error you are receiving and what exactlly is the issue are you installing the fedora rpm package or non rpm package.
On Wed, Nov 18, 2009 at 1:10 PM, susmit shannigrahi < thinklinux.ssh@gmail.com> wrote:
Can you please help with this? Thanks.
---------- Forwarded message ---------- From: Jeff Shepherd hummdis@gmail.com Date: Wed, Nov 18, 2009 at 1:07 PM Subject: [Fedora-freemedia-list] SHA1 vs SHA256... To: fedora-freemedia-list@redhat.com
Is it just me, or are the checksums to verify the Fedora 12 discs incorrectly listed here on these pages:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
The page says that it's SHA1, but my SHA1 looks nothing like those and the SHA256 matches exactly. I've verified this on Windows & Fedora 11.
At first I thought I had a bad download, so I downloaded again, only to find that these are not SHA1 checksums, they're SHA256.
Can anyone else confirm? Can anyone shed light as to why the page says SHA1 when it's SHA256? How do we go about getting this corrected?
Thanks! Jeff
-- Jeff Shepherd hummdis@gmail.com
Scott Adams - "Men live in a fantasy world. I know this because I am one, and I actually receive my mail there."
Ogden Nash - "The trouble with a kitten is that when it grows up, it's always a cat."
-- Fedora-freemedia-list mailing list Fedora-freemedia-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-freemedia-list
-- Regards, Susmit.
============================================= http://www.fedoraproject.org/wiki/user:susmit ============================================= Sent from Calcutta, WB, India
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
susmit shannigrahi wrote:
Can you please help with this? Thanks.
---------- Forwarded message ---------- From: Jeff Shepherd Date: Wed, Nov 18, 2009 at 1:07 PM
Is it just me, or are the checksums to verify the Fedora 12 discs incorrectly listed here on these pages:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
The page says that it's SHA1, but my SHA1 looks nothing like those and the SHA256 matches exactly. I've verified this on Windows & Fedora 11.
At first I thought I had a bad download, so I downloaded again, only to find that these are not SHA1 checksums, they're SHA256.
Can anyone else confirm? Can anyone shed light as to why the page says SHA1 when it's SHA256? How do we go about getting this corrected?
For the benefit of context (mind any line wrap):
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7 *Fedora-12-i386-DVD.iso 2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace *Fedora-12-i386-disc1.iso ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7 *Fedora-12-i386-disc2.iso 8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36 *Fedora-12-i386-disc3.iso 07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b *Fedora-12-i386-disc4.iso dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb *Fedora-12-i386-disc5.iso 128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9 *Fedora-12-i386-netinst.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)
iQIVAwUBSvurkZ0cw0hXu8y6AQIdQw//WuT1eE5LUzN3tBnBJzMsvD90/gz1kM0A 4qtM+SSRjrx0MwkVkP5spO/xfkk7sncTE51Bl88lDAvpC/00b+u3MQEya9aApZyT CmggKB/bmozQyX3C7HbXwUIMrCRmNVkYCkgQKLQd/MK+r73dXCuHNpyfeBSuZGsy iCpX003Wu6U92jlwljBkgU+FrgJwAmr6b7hEurQaf2fqmN1d4Nh+llwqOEIykd5A Ci1ApI05NBEX/z9KG+WR+YtCuRqUwD6U5SrjBSQD86NGLcsJ49gBrbu1um3cUvlC YRvCjT4zDBn32au+pBKXjlQf4TrCt3SooYnmf0D+1iefrN0Sijpft+bQ26poSjkp pj+wnVkUg2shfm+0imiPIGos6cJRmj0o4w3CzyDs6sOIcIcYB4ohyFasczsjYT40 LSCcKBFZXNEw8OogcoPZpp79Yr7iX0C0JQ45xgzPrDegKSLVkTvpXyHCbmd21Zkz oPu2kFoR+tEVPfESVFqSqnYJC/TtwokEHbaVCUEpP44L3PpGiVTqK/uZnReQRbLM ZuMtXRa2j3i0iSlEKfAS0L+9mvWzGzp8UOQzH7UyZgb0RKfVRYcHW0oXpfMqFD9C IA/0pgDQNnQRq3OPxnjHfNKAtezfNBaaU45xA9gA2olzzVrhzgXKjn3MRK2tyrlA XpaHoVKUVFU= =HttN -----END PGP SIGNATURE-----
"Hash: SHA1" refers to the hash in the PGP signature, not the hash values of the iso images. The way digital signatures work, first you take a hash of the message, which is this part:
f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7 *Fedora-12-i386-DVD.iso 2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0f887f3623ddace *Fedora-12-i386-disc1.iso ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f8111dcee4d5e9ef7 *Fedora-12-i386-disc2.iso 8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188d47747c2640b36 *Fedora-12-i386-disc3.iso 07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c49923bb5c70c6b *Fedora-12-i386-disc4.iso dff8c478fb73452a8799016deeecccde3097d40a0b756d681bfe6be2e56bb9eb *Fedora-12-i386-disc5.iso 128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd743d7a325f7df9 *Fedora-12-i386-netinst.iso
So what hash do you take of that? SHA1
The message body could be a uuencoded jpg of your mother kissing Mickey Mouse at Disneyland. It doesn't matter. If it's digitally signed, there will be a line that says "Hash: SHA1" just after the start of the message delimiter. Don't be distracted by the fact that the message in this case is a list of some other hash values, which happen to be SHA256.
After taking the hash of the message, you encrypt it with the private key of the signer. That's the signature included within the signature delimiters. The signer in this case is Fedora 12 itself with key ID 57bbccba. You can get the public GPG keys (for verification) from
https://fedoraproject.org/static/fedora.gpg
HTH
I don't subscribe to fedora-freemedia-list, so feel free to repost this response there. Apologies to your mother, if required, as well.
infrastructure@lists.fedoraproject.org
-
Allen Kistler -
mvitvivek -
Rahul Sundaram -
susmit shannigrahi -
Todd Zullinger