New Fedora 12 checksum are listed as SHA1 but are SHA256 Hash
V Stuart Foote
VStuart.Foote at utsa.edu
Thu Nov 19 19:54:33 UTC 2009
OK Thanks! Yes that is not clear but makes sense about the PGP signature
tag for the CHECKSUM file itself.
It is just confusing to see it immediately above the hash values in the
in the file. It suggests that they're SHA1 hashes. Most folks won't
perform the gpg --verify against the signature file as we've downloaded
it directly, and will read the hashes as provided against whatever hash
utility they've got to verify a clean/complete download.
Regards,
Stuart Foote
-----Original Message-----
From: Ricky Zhou [mailto:ricky at fedoraproject.org]
Sent: Thursday, November 19, 2009 1:40 PM
To: V Stuart Foote
Cc: webmaster at fedoraproject.org
Subject: Re: New Fedora 12 checksum are listed as SHA1 but are SHA256
Hash
On 2009-11-19 01:24:00 PM, V Stuart Foote wrote:
> The posted checksums to verify ISOs for at least the i386 ISOs
> suggests the Hash is SHA1, but the value is SHA256 for the
> Fedora-12-i386-DVD.iso, suspect they may all be SHA256
>
> https://fedoraproject.org/en/verify
>
>
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
>
> Probably should correct the mislabeled entry(s).
This is a common misconception. The Hash: SHA1 line is part of the
PGP signature. It has no relation to the sha256 checksum data in the
*-CHECKSUM files. https://fedoraproject.org/verify has details on how
to verify downloads and does point out that sha256sum is what should
be used.
We're discussing ways to make this clearer in future releases so that
folks don't mistake the PGP Hash header as the hash used for the .iso
images.
Thanks,
Ricky
More information about the Fedora-websites-list
mailing list