FWD: [Fedora-freemedia-list] SHA1 vs SHA256...
Todd Zullinger
tmz at pobox.com
Wed Nov 18 13:11:54 UTC 2009
Allen Kistler wrote:
> I think that thread is talking about some other page than the one
> that confused Jeff. In particular, this thread refers to changing
> some string value on a page from "SHA1" to "SHA256."
>
> 1. If you alter a GPG-signed message, you've just screwed the
> signature, since most of the value of the signature comes from being
> able to verify that no one has changed the message.
>
> 2. Maybe it hasn't replicated, but I still see "SHA1" when I look at
> the pages Jeff referenced. And BTW that's a good thing.
>
> Or am I the one confused? I'm looking at only those pages Jeff
> lists above.
That thread is on the mark. The fix that Jesse is referring to is
likely that we'll add some text to the *CHECKSUM files explaining what
checksum tool to use for verification, perhaps pointing to the page at
https://fedoraproject.org/verify and some large print that says "USE
sha256sum TO VERIFY THE CHECKSUMS, DESPITE ANY PGP 'Hash:' LINE YOU
MAY SEE AND THINK YOU UNDERSTAND." :)
Unfortunately, many, many people confuse the 'Hash: SHA1' line which
is part of the PGP signature with the SHA256 checksum data that is in
the *CHECHKSUM files. It would almost be better to just have
detatched PGP signature files. That way, those who are not familiar
with PGP would not ever see a 'Hash: SHA1' line to confuse them.
Oddly, at some point the PGP signatures will be made using SHA256 as
well and that will then match the checksum used for the .iso files.
But as long as people conflate the PGP Hash header and the checksum
used to create the clearsigned data, we'll have this problem.
We've gotten a _lot_ of this question at the webmaster address. I
never realized how many people made the flawed assumption that the PGP
Hash: header had anything to do with the checksum data in the files.
Please spread the message as much as possible that they are NOT
related in ANY way.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Truth is like a well-known whore. Everybody knows her but it's
embarrassing to meet her in the street.
-- Wolfgang Borchert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20091118/326b0d24/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list