Web Page Download verification for windows
Todd Zullinger
tmz at pobox.com
Tue Dec 29 05:07:32 UTC 2009
Hi Robert,
Robert McIntyre wrote:
> I am using HasCalc and I believe that your web page:
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
>
> Provides invalid information. The hash below is a SHA256 Vice a SHA1
> as stated in the quote below from your
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
> web page Pleas advise if I am correct.
The Hash: SHA1 line in the checksum file is part of the PGP signature.
It has no relation to the data that is signed (which is indeed a
SHA-256 checksum of the Fedora ISO images).
This is a very common misconception. The main verification page at
https://fedoraproject.org/verify even contains a very bold note at the
top:
"Please note that the Hash: SHA1 line in the CHECKSUM file is part
of the PGP signature. It does not specify the type of hash used to
verify the .iso files."
For future releases, the plan is to add further instructions directly
to the checksum files to try and minimize such confusion.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't take life seriously, you'll never get out alive.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20091229/f369a3e3/attachment.sig>
More information about the Fedora-websites-list
mailing list