FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 04-05-2011, 02:43 PM
Joel Rees
 
Default verifying the boot.iso for fedora 15

How does one verify boot.iso for the alpha version?

I've imported the key file, but I don't see a proper signature or an
sha256 checksum.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-05-2011, 03:12 PM
Ed Greshko
 
Default verifying the boot.iso for fedora 15

On 04/05/2011 10:43 PM, Joel Rees wrote:
> How does one verify boot.iso for the alpha version?
>
> I've imported the key file, but I don't see a proper signature or an
> sha256 checksum.

I downloaded from a mirror and it was there....

e.g.
ftp://ftp.isu.edu.tw:0/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM



--
Bumper sticker: All the parts falling off this car are of the very
finest British manufacture. 葛斯克 愛德華 / 台北市八德路四段

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-05-2011, 03:14 PM
Ed Greshko
 
Default verifying the boot.iso for fedora 15

On 04/05/2011 11:12 PM, Ed Greshko wrote:
> On 04/05/2011 10:43 PM, Joel Rees wrote:
>> How does one verify boot.iso for the alpha version?
>>
>> I've imported the key file, but I don't see a proper signature or an
>> sha256 checksum.
> I downloaded from a mirror and it was there....
>
> e.g.
> ftp://ftp.isu.edu.tw:0/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM
>

Sorry.... That should have read...

ftp://ftp.isu.edu.tw/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM




--
You will gain money by an immoral action. 葛斯克 愛德華 / 台北市八德路四段

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-05-2011, 11:58 PM
Joel Rees
 
Default verifying the boot.iso for fedora 15

On Wed, Apr 6, 2011 at 12:14 AM, Ed Greshko <Ed.Greshko@greshko.com> wrote:
> On 04/05/2011 11:12 PM, Ed Greshko wrote:
>> On 04/05/2011 10:43 PM, Joel Rees wrote:
>>> How does one verify boot.iso for the alpha version?
>>>
>>> I've imported the key file, but I don't see a proper signature or an
>>> sha256 checksum.
>> I downloaded from a mirror and it was there....
>>
>> e.g.
>> ftp://ftp.isu.edu.tw:0/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM
>>
>
> Sorry.... *That should have read...
>
> ftp://ftp.isu.edu.tw/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM

Hmm.

I see that I was looking in a different place. I was looking at

linux/development/15/i386/os/images/boot.iso , and this is

linux/releases/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-netinst.iso
(or the DVD).

Okay, just for fun, I played games linking (symbolic) boot.iso to
Fedora-15-Alpha-i386.iso and gpg says this:

gpg: Signature made Thu 03 Mar 2011 12:34:51 PM JST using RSA key ID 069C8460
gpg: Good signature from "Fedora (15) <fedora@fedoraproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 25DB B54B DED7 0987 F4C1 0042 B4EB F579 069C 8460

but I don't find either the key or the fingerprint at
https://fedoraproject.org/keys.

I guess I'm going to download the netinst iso now.

Thanks.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2011, 01:38 AM
Todd Zullinger
 
Default verifying the boot.iso for fedora 15

Joel Rees wrote:
> gpg: Signature made Thu 03 Mar 2011 12:34:51 PM JST using RSA key ID 069C8460
> gpg: Good signature from "Fedora (15) <fedora@fedoraproject.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 25DB B54B DED7 0987 F4C1 0042 B4EB F579 069C 8460
>
> but I don't find either the key or the fingerprint at
> https://fedoraproject.org/keys.

I just pushed a fix for this to the fedora-web git repository. When
the website syncs next it should be on the /keys page. That is the
proper key and fingerprint (though I don't expect you to just take my
word for that .

The key file was already uploaded to the site. You can grab it from
https://fedoraproject.org/static/069C8460.txt or pull all the Fedora
and EPEL keys from https://fedoraproject.org/static/fedora.gpg. A
handy shortcut for getting them is:

curl https://fedoraproject.org/static/fedora.gpg | gpg --import

http://git.fedorahosted.org/git/?p=fedora-web.git;a=commitdiff;h=12f71c9c

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
To have a successful relationship, I must learn to make it look like
I'm giving as much as I'm getting.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2011, 02:14 AM
Ed Greshko
 
Default verifying the boot.iso for fedora 15

On 04/06/2011 09:38 AM, Todd Zullinger wrote:
>
> I just pushed a fix for this to the fedora-web git repository¹. When
> the website syncs next it should be on the /keys page. That is the
> proper key and fingerprint (though I don't expect you to just take my
> word for that .
>
> The key file was already uploaded to the site. You can grab it from
> https://fedoraproject.org/static/069C8460.txt or pull all the Fedora
> and EPEL keys from https://fedoraproject.org/static/fedora.gpg. A
> handy shortcut for getting them is:
>
> curl https://fedoraproject.org/static/fedora.gpg | gpg --import
>
> ¹ http://git.fedorahosted.org/git/?p=fedora-web.git;a=commitdiff;h=12f71c9c
>

????

[egreshko@meimei F15-A]$ gpg --verify *-CHECKSUM
gpg: Signature made Thu 03 Mar 2011 11:34:51 AM CST using RSA key ID
069C8460
gpg: Can't check signature: public key not found

wget https://fedoraproject.org/static/069C8460.txt

[egreshko@meimei F15-A]$ cat 069C8460.txt | gpg --import
gpg: key 069C8460: public key "Fedora (15) <fedora@fedoraproject.org>"
imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

[egreshko@meimei F15-A]$ gpg --verify *-CHECKSUM
gpg: Signature made Thu 03 Mar 2011 11:34:51 AM CST using RSA key ID
069C8460
gpg: Good signature from "Fedora (15) <fedora@fedoraproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 25DB B54B DED7 0987 F4C1 0042 B4EB F579 069C 8460


--
Writing is easy; all you do is sit staring at the blank sheet of paper
until drops of blood form on your forehead. -- Gene Fowler 葛斯克 愛德華
/ 台北市八德路四段

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2011, 02:22 AM
Joel Rees
 
Default verifying the boot.iso for fedora 15

Okay, Trying to verify the alpha netinst.iso, I seem to have forgotten
the way these files work, again.

----
gpg --verify Fedora-15-Alpha-i386-CHECKSUM Fedora-15-Alpha-i386-netinst.iso
gpg: not a detached signature
---

This is telling me that the CHECKSUM combines the signature and the checksum.

I looked inside the CHECKSUM (actually seeing the contents instead of
just checking that there was something there). The list of files and
checksums is in there with the signature. That's why it's not a
detached signature.

On Wed, Apr 6, 2011 at 8:58 AM, Joel Rees <joel.rees@gmail.com> wrote:
> On Wed, Apr 6, 2011 at 12:14 AM, Ed Greshko <Ed.Greshko@greshko.com> wrote:
>> On 04/05/2011 11:12 PM, Ed Greshko wrote:
>>> On 04/05/2011 10:43 PM, Joel Rees wrote:
>>>> How does one verify boot.iso for the alpha version?
>>>>
>>>> I've imported the key file, but I don't see a proper signature or an
>>>> sha256 checksum.
>>> I downloaded from a mirror and it was there....
>>>
>>> e.g.
>>> ftp://ftp.isu.edu.tw:0/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM
>>>
>>
>> Sorry.... *That should have read...
>>
>> ftp://ftp.isu.edu.tw/pub/Linux/Fedora/linux/releases/test/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-CHECKSUM
>
> Hmm.
>
> I see that I was looking in a different place. I was looking at
>
> linux/development/15/i386/os/images/boot.iso , and this is
>
> linux/releases/15-Alpha/Fedora/i386/iso/Fedora-15-Alpha-i386-netinst.iso
> (or the DVD).
>
> Okay, just for fun, I played games linking (symbolic) boot.iso to
> Fedora-15-Alpha-i386.iso and gpg says this:

That would have been

----
ln -s boot.iso Fedora-15-Alpha-i386.iso
gpg --verify Fedora-15-Alpha-i386-CHECKSUM
----

> gpg: Signature made Thu 03 Mar 2011 12:34:51 PM JST using RSA key ID 069C8460
> gpg: Good signature from "Fedora (15) <fedora@fedoraproject.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: * * * * *There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 25DB B54B DED7 0987 F4C1 *0042 B4EB F579 069C 8460

which tells me, that the signature on the checksums is valid. So, now
I need to actually run sha256sum or openssl sha256 on the file and
compare the signatures.

sha256sum Fedora-15-Alpha-i386.iso > checksum15.text
vi Fedora-15-Alpha-i386-CHECKSUM checksum15.text

and yy the checksum from the one and p it in the other and eyeball it
-- they match, and now I know they match.

Yep. I've forgotten how to use gpg again. I hate getting old.

> but I don't find either the key or the fingerprint at
> https://fedoraproject.org/keys.
>
> I guess I'm going to download the netinst iso now.

For what it's worth, I cmp-ed the boot.iso and the netinst.iso and
they are definitiely not the same. Not sure whether I expected them to
be.

So, now I have a netinst image with a very high probability of being
valid, and I go back and look at gPXE and the BFO stuff, and I'm more
than half thinking I want to go that route instead. Maybe.

Sorry for the noise, but I'm going to post this, to leave myself
another note. Maybe I'll someday get myself to remember that gpg does
not automatically look at the file list and run the checksum step.

Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2011, 02:33 AM
Ed Greshko
 
Default verifying the boot.iso for fedora 15

On 04/06/2011 10:22 AM, Joel Rees wrote:
> Okay, Trying to verify the alpha netinst.iso, I seem to have forgotten
> the way these files work, again.

Step 1 is to verify the signature on the CHECKSUM file....

gpg --verify *-CHECKSUM

That gives you confidence that the data in that file comes from where it
is supposed to come from and that the information is unaltered.

Step 2 is to run sha2456 against the iso file and verify it against what
is in the CHECKSUM file.

sha256sum -c Fedora-15-Alpha-i386-CHECKSUM

--
People humiliating a salami! 葛斯克 愛德華 / 台北市八德路四段

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2011, 02:35 AM
Joel Rees
 
Default verifying the boot.iso for fedora 15

On Wed, Apr 6, 2011 at 10:38 AM, Todd Zullinger <tmz@pobox.com> wrote:
> Joel Rees wrote:
>> gpg: Signature made Thu 03 Mar 2011 12:34:51 PM JST using RSA key ID 069C8460
>> gpg: Good signature from "Fedora (15) <fedora@fedoraproject.org>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: * * * * *There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 25DB B54B DED7 0987 F4C1 *0042 B4EB F579 069C 8460
>>
>> but I don't find either the key or the fingerprint at
>> https://fedoraproject.org/keys.
>
> I just pushed a fix for this to the fedora-web git repository. *When
> the website syncs next it should be on the /keys page.

Thanks! I'll go check it. Checked and matched.

>*That is the
> proper key and fingerprint (though I don't expect you to just take my
> word for that .

Well, I had already, as I often do, gone to about five (this time)
sort-of randomly selected mirrors to download the checksum files and
compare them. But, yeah, having them posted also helps the confidence
level. (Which is all we can say, in the end, anyway.)

And the posting about it here gives other people who would know if
this is wrong another chance to jump in and speak up, which increases
overall confidence in the signature.

Speaking of posts, this was posted to announcements and I missed it, right? 8-p

> The key file was already uploaded to the site. *You can grab it from
> https://fedoraproject.org/static/069C8460.txt or pull all the Fedora
> and EPEL keys from https://fedoraproject.org/static/fedora.gpg. *A
> handy shortcut for getting them is:
>
> * *curl https://fedoraproject.org/static/fedora.gpg | gpg --import
>
> http://git.fedorahosted.org/git/?p=fedora-web.git;a=commitdiff;h=12f71c9c
>
> --
> Todd * * * *OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
> To have a successful relationship, I must learn to make it look like
> I'm giving as much as I'm getting.
>
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>
>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-06-2011, 02:47 AM
Joel Rees
 
Default verifying the boot.iso for fedora 15

Ah!

On Wed, Apr 6, 2011 at 11:33 AM, Ed Greshko <Ed.Greshko@greshko.com> wrote:
> On 04/06/2011 10:22 AM, Joel Rees wrote:
>> Okay, Trying to verify the alpha netinst.iso, I seem to have forgotten
>> the way these files work, again.
>
> Step 1 is to verify the signature on the CHECKSUM file....
>
> gpg --verify *-CHECKSUM
>
> That gives you confidence that the data in that file comes from where it
> is supposed to come from and that the information is unaltered.
>
> Step 2 is to run sha2456 against the iso file and verify it against what
> is in the CHECKSUM file.
>
> sha256sum -c Fedora-15-Alpha-i386-CHECKSUM

That's where my confusion was.

sha256sum -c is what was doing the lookup and check. That's where my
memory of an automated check came from.

Which is a bit better than eyeballing because, even when you put one
above the other, sometimes you just get tired.

Thanks.

零石

> --
> People humiliating a salami! 葛斯克 愛德華 / 台北市八德路四段
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 05:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org