Re: sha256sun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 16, 2009 at 1:17 PM, Todd Zullinger<tmz@xxxxxxxxx> wrote:
> Aldo Foot wrote:
>> The filename "Fedora-11-i386-CHECKSUM" is arbitrary. You can call it
>> anything you want as long as it has the contents of the GPG key
>> provided by the distro[1], just click on the checksum link and copy
>> its contents to a text file.
>>
>> [1] http://mirrors.kernel.org/fedora/releases/11/Fedora/i386/iso/
>
> At the risk of causing more confusion, I don't think that's correct.
> The contents of the GPG key are _not_ included in the *CHECKSUM files.
> The contents are the sha256sum hashes of the files in release, and
> they are signed with gpg so that you can first verify that the
> CHECKSUM file came from the Fedora Project and then feel confident
> using the file to verify the checksums of the .iso files.
>
> The steps to do this are covered at https://fedoraproject.org/verify .
>



Thanks for the correction. I was thinking of the words "PGP SIGNATURE"
that appear in the contents of the checksum file. The file contains hash
values, which are not to be confused with gpg keys.

~af

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux