[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sha256sun



Aldo Foot wrote:
> The filename "Fedora-11-i386-CHECKSUM" is arbitrary. You can call it
> anything you want as long as it has the contents of the GPG key
> provided by the distro[1], just click on the checksum link and copy
> its contents to a text file.
>
> [1] http://mirrors.kernel.org/fedora/releases/11/Fedora/i386/iso/

At the risk of causing more confusion, I don't think that's correct.
The contents of the GPG key are _not_ included in the *CHECKSUM files.
The contents are the sha256sum hashes of the files in release, and
they are signed with gpg so that you can first verify that the
CHECKSUM file came from the Fedora Project and then feel confident
using the file to verify the checksums of the .iso files.

The steps to do this are covered at https://fedoraproject.org/verify .

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Life swings like a pendulum backward and forward between pain and
boredom.
    -- Arthur Schopenhauer

Attachment: pgpF7chcncZqh.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]