FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 11-18-2009, 06:40 AM
susmit shannigrahi
 
Default FWD: SHA1 vs SHA256...

Can you please help with this?
Thanks.


---------- Forwarded message ----------
From: Jeff Shepherd <hummdis@gmail.com>
Date: Wed, Nov 18, 2009 at 1:07 PM
Subject: [Fedora-freemedia-list] SHA1 vs SHA256...
To: fedora-freemedia-list@redhat.com


Is it just me, or are the checksums to verify the Fedora 12 discs
incorrectly listed here on these pages:

https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM

The page says that it's SHA1, but my SHA1 looks nothing like those and
the SHA256 matches exactly.* I've verified this on Windows & Fedora
11.

At first I thought I had a bad download, so I downloaded again, only
to find that these are not SHA1 checksums, they're SHA256.

Can anyone else confirm?* Can anyone shed light as to why the page
says SHA1 when it's SHA256?* How do we go about getting this
corrected?

Thanks!
Jeff

--
Jeff Shepherd
hummdis@gmail.com

Scott Adams - "Men live in a fantasy world. I know this because I am
one, and I actually receive my mail there."

Ogden Nash *- "The trouble with a kitten is that when it grows up,
it's always a cat."


--
Fedora-freemedia-list mailing list
Fedora-freemedia-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-freemedia-list




--
Regards,
Susmit.

=============================================
http://www.fedoraproject.org/wiki/user:susmit
=============================================
Sent from Calcutta, WB, India

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-18-2009, 07:53 AM
Rahul Sundaram
 
Default FWD: SHA1 vs SHA256...

On 11/18/2009 01:10 PM, susmit shannigrahi wrote:
> Can you please help with this?
> Thanks.
>
>
> ---------- Forwarded message ----------
> From: Jeff Shepherd <hummdis@gmail.com>
> Date: Wed, Nov 18, 2009 at 1:07 PM
> Subject: [Fedora-freemedia-list] SHA1 vs SHA256...
> To: fedora-freemedia-list@redhat.com
>
>
> Is it just me, or are the checksums to verify the Fedora 12 discs
> incorrectly listed here on these pages:
>
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
> https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM

Refer to

https://www.redhat.com/archives/fedora-test-list/2009-November/msg00820.html

Rahul

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-18-2009, 08:17 AM
Allen Kistler
 
Default FWD: SHA1 vs SHA256...

susmit shannigrahi wrote:
> Can you please help with this?
> Thanks.
>
> ---------- Forwarded message ----------
> From: Jeff Shepherd
> Date: Wed, Nov 18, 2009 at 1:07 PM
>
> Is it just me, or are the checksums to verify the Fedora 12 discs
> incorrectly listed here on these pages:
>
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
> https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
>
> The page says that it's SHA1, but my SHA1 looks nothing like those and
> the SHA256 matches exactly. I've verified this on Windows & Fedora
> 11.
>
> At first I thought I had a bad download, so I downloaded again, only
> to find that these are not SHA1 checksums, they're SHA256.
>
> Can anyone else confirm? Can anyone shed light as to why the page
> says SHA1 when it's SHA256? How do we go about getting this
> corrected?

For the benefit of context (mind any line wrap):

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1 840a666c4447c7 *Fedora-12-i386-DVD.iso
> 2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0 f887f3623ddace *Fedora-12-i386-disc1.iso
> ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f81 11dcee4d5e9ef7 *Fedora-12-i386-disc2.iso
> 8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188 d47747c2640b36 *Fedora-12-i386-disc3.iso
> 07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c 49923bb5c70c6b *Fedora-12-i386-disc4.iso
> dff8c478fb73452a8799016deeecccde3097d40a0b756d681b fe6be2e56bb9eb *Fedora-12-i386-disc5.iso
> 128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd 743d7a325f7df9 *Fedora-12-i386-netinst.iso
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iQIVAwUBSvurkZ0cw0hXu8y6AQIdQw//WuT1eE5LUzN3tBnBJzMsvD90/gz1kM0A
> 4qtM+SSRjrx0MwkVkP5spO/xfkk7sncTE51Bl88lDAvpC/00b+u3MQEya9aApZyT
> CmggKB/bmozQyX3C7HbXwUIMrCRmNVkYCkgQKLQd/MK+r73dXCuHNpyfeBSuZGsy
> iCpX003Wu6U92jlwljBkgU+FrgJwAmr6b7hEurQaf2fqmN1d4N h+llwqOEIykd5A
> Ci1ApI05NBEX/z9KG+WR+YtCuRqUwD6U5SrjBSQD86NGLcsJ49gBrbu1um3cUvl C
> YRvCjT4zDBn32au+pBKXjlQf4TrCt3SooYnmf0D+1iefrN0Sij pft+bQ26poSjkp
> pj+wnVkUg2shfm+0imiPIGos6cJRmj0o4w3CzyDs6sOIcIcYB4 ohyFasczsjYT40
> LSCcKBFZXNEw8OogcoPZpp79Yr7iX0C0JQ45xgzPrDegKSLVkT vpXyHCbmd21Zkz
> oPu2kFoR+tEVPfESVFqSqnYJC/TtwokEHbaVCUEpP44L3PpGiVTqK/uZnReQRbLM
> ZuMtXRa2j3i0iSlEKfAS0L+9mvWzGzp8UOQzH7UyZgb0RKfVRY cHW0oXpfMqFD9C
> IA/0pgDQNnQRq3OPxnjHfNKAtezfNBaaU45xA9gA2olzzVrhzgXKj n3MRK2tyrlA
> XpaHoVKUVFU=
> =HttN
> -----END PGP SIGNATURE-----


"Hash: SHA1" refers to the hash in the PGP signature, not the hash
values of the iso images. The way digital signatures work, first you
take a hash of the message, which is this part:

> f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1 840a666c4447c7 *Fedora-12-i386-DVD.iso
> 2f548ce50c459a0270e85a7d63b2383c55239bf6aead9314a0 f887f3623ddace *Fedora-12-i386-disc1.iso
> ce77d16d1b3362859aaa856f1f29c7197db69264d8ce6b9f81 11dcee4d5e9ef7 *Fedora-12-i386-disc2.iso
> 8c39cb9e3c1583948dcad21f9fdbe48a3ff6a8d1b536462188 d47747c2640b36 *Fedora-12-i386-disc3.iso
> 07f03f67d23331e8c7a37ad19e9a99062a4584a3e028beb40c 49923bb5c70c6b *Fedora-12-i386-disc4.iso
> dff8c478fb73452a8799016deeecccde3097d40a0b756d681b fe6be2e56bb9eb *Fedora-12-i386-disc5.iso
> 128112527bdd4036ec82d678b5d5362aa7a11ac15a73647afd 743d7a325f7df9 *Fedora-12-i386-netinst.iso

So what hash do you take of that? SHA1

The message body could be a uuencoded jpg of your mother kissing Mickey
Mouse at Disneyland. It doesn't matter. If it's digitally signed,
there will be a line that says "Hash: SHA1" just after the start of the
message delimiter. Don't be distracted by the fact that the message in
this case is a list of some other hash values, which happen to be SHA256.

After taking the hash of the message, you encrypt it with the private
key of the signer. That's the signature included within the signature
delimiters. The signer in this case is Fedora 12 itself with key ID
57bbccba. You can get the public GPG keys (for verification) from

https://fedoraproject.org/static/fedora.gpg

HTH

I don't subscribe to fedora-freemedia-list, so feel free to repost this
response there. Apologies to your mother, if required, as well.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-18-2009, 08:42 AM
Allen Kistler
 
Default FWD: SHA1 vs SHA256...

Rahul Sundaram wrote:
> On 11/18/2009 01:10 PM, susmit shannigrahi wrote:
>> Can you please help with this?
>> Thanks.
>>
>> ---------- Forwarded message ----------
>> From: Jeff Shepherd
>> Date: Wed, Nov 18, 2009 at 1:07 PM
>> Subject: [Fedora-freemedia-list] SHA1 vs SHA256...
>> To: fedora-freemedia-list@redhat.com
>>
>>
>> Is it just me, or are the checksums to verify the Fedora 12 discs
>> incorrectly listed here on these pages:
>>
>> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
>> https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
>
> Refer to
>
> https://www.redhat.com/archives/fedora-test-list/2009-November/msg00820.html

I think that thread is talking about some other page than the one that
confused Jeff. In particular, this thread refers to changing some
string value on a page from "SHA1" to "SHA256."

1. If you alter a GPG-signed message, you've just screwed the signature,
since most of the value of the signature comes from being able to verify
that no one has changed the message.

2. Maybe it hasn't replicated, but I still see "SHA1" when I look at the
pages Jeff referenced. And BTW that's a good thing.

Or am I the one confused? I'm looking at only those pages Jeff lists above.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-18-2009, 12:11 PM
Todd Zullinger
 
Default FWD: SHA1 vs SHA256...

Allen Kistler wrote:
> I think that thread is talking about some other page than the one
> that confused Jeff. In particular, this thread refers to changing
> some string value on a page from "SHA1" to "SHA256."
>
> 1. If you alter a GPG-signed message, you've just screwed the
> signature, since most of the value of the signature comes from being
> able to verify that no one has changed the message.
>
> 2. Maybe it hasn't replicated, but I still see "SHA1" when I look at
> the pages Jeff referenced. And BTW that's a good thing.
>
> Or am I the one confused? I'm looking at only those pages Jeff
> lists above.

That thread is on the mark. The fix that Jesse is referring to is
likely that we'll add some text to the *CHECKSUM files explaining what
checksum tool to use for verification, perhaps pointing to the page at
https://fedoraproject.org/verify and some large print that says "USE
sha256sum TO VERIFY THE CHECKSUMS, DESPITE ANY PGP 'Hash:' LINE YOU
MAY SEE AND THINK YOU UNDERSTAND."

Unfortunately, many, many people confuse the 'Hash: SHA1' line which
is part of the PGP signature with the SHA256 checksum data that is in
the *CHECHKSUM files. It would almost be better to just have
detatched PGP signature files. That way, those who are not familiar
with PGP would not ever see a 'Hash: SHA1' line to confuse them.

Oddly, at some point the PGP signatures will be made using SHA256 as
well and that will then match the checksum used for the .iso files.
But as long as people conflate the PGP Hash header and the checksum
used to create the clearsigned data, we'll have this problem.

We've gotten a _lot_ of this question at the webmaster address. I
never realized how many people made the flawed assumption that the PGP
Hash: header had anything to do with the checksum data in the files.

Please spread the message as much as possible that they are NOT
related in ANY way.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Truth is like a well-known whore. Everybody knows her but it's
embarrassing to meet her in the street.
-- Wolfgang Borchert

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 08:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org