SHA1 and 256 (again) :)

Todd Zullinger tmz at pobox.com
Thu Nov 19 03:23:55 UTC 2009


Adam Williamson wrote:
> To be clear, I think the documentation page that Scott linked talks
> about SHA-1 not because someone misread the checksum file but simply
> because it's _old_. It was written at a time when the checksums
> actually where SHA-1. Note the reference to Fedora 7.

Indeed.  I filed a bug on this when Fedora 11 came out and it didn't
get updated.  After various discussion and some excellent help from
Richard Jones, we have a pretty reasonable way to build a sha25sum.exe
that we can distribute from fedoraproject.org and feel more
comfortable recommending to Windows users.

Unfortunately, this didn't happen in time for Fedora 12.  But seeing
that it's been broken since Fedora 11, another week or two shouldn't
kill us. :)

> I think the above page needs to be updated to refer to SHA-256
> checksums. Also, both it and https://fedoraproject.org/en/verify might
> benefit from explicitly mentioning the potential confusion between the
> signature algorithm and the checksum algorithm, until F13 is current.

I'm torn on whether we should call out this issue on fp.o/verify.  The
page does clearly indicate the command to be used.  I fear that adding
something like:

    NOTE: Please don't confuse the 'Hash:' line in the *CHECKSUM file,
    (which is part of the PGP signature) with the type of hash
    algorithm used to verify the .iso files

might only server to add confusion to those who weren't already
confused.  I think many of the users who were confused downloaded via
the torrents and likely never saw the fp.o/verify page at all anyway.

In the end, I think adding some comments directly to the *CHECKSUM
files will be much more useful (and is something Jesse has said is on
his list of rel-eng tasks -- a list I imagine is fairly long. ;).

I think something along the lines of:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To verify the file(s) listed below, run:

    sha256sum -c Fedora-12-i686-Live-CHECKSUM'

See https://fedoraproject.org/verify for more details.

5ad27455df004ee23fbc5a05dfa039a14e59956dccf4e767d493601e0bfa4001  Fedora-12-i686-Live.iso
-----BEGIN PGP SIGNATURE-----
[...]
-----END PGP SIGNATURE-----

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tell a man there are 300 billion stars in the universe, he'll believe
you.  Tell him a bench has wet paint on it and he'll have to touch it
to be sure.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20091118/fd4ee711/attachment.sig>


More information about the fedora-test-list mailing list