sha256sun
Todd Zullinger
tmz at pobox.com
Tue Jun 16 20:17:11 UTC 2009
Aldo Foot wrote:
> The filename "Fedora-11-i386-CHECKSUM" is arbitrary. You can call it
> anything you want as long as it has the contents of the GPG key
> provided by the distro[1], just click on the checksum link and copy
> its contents to a text file.
>
> [1] http://mirrors.kernel.org/fedora/releases/11/Fedora/i386/iso/
At the risk of causing more confusion, I don't think that's correct.
The contents of the GPG key are _not_ included in the *CHECKSUM files.
The contents are the sha256sum hashes of the files in release, and
they are signed with gpg so that you can first verify that the
CHECKSUM file came from the Fedora Project and then feel confident
using the file to verify the checksums of the .iso files.
The steps to do this are covered at https://fedoraproject.org/verify .
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Life swings like a pendulum backward and forward between pain and
boredom.
-- Arthur Schopenhauer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090616/7609936e/attachment-0001.sig>
More information about the fedora-list
mailing list