http://fedoraproject.org/en/verify
Andre Robatino
andre at bwh.harvard.edu
Sun May 25 23:44:19 UTC 2008
The above page basically claims that if you download a Fedora ISO from
torrent.fedoraproject.org by BitTorrent, that it can automatically be
trusted as a result. This ignores the possibility that the .torrent
file itself could have been replaced, which would actually be easier
than replacing an entire ISO on a direct download server, since the
latter is much larger. The official torrents from
torrent.fedoraproject.org include SHA1SUM files, and the advice to check
those first should apply to torrent downloads as well as direct downloads.
Also, there is no mention of the warning when running "gpg --verify
SHA1SUM":
gpg: Signature made Wed 07 May 2008 10:03:44 PM EDT using DSA key ID
4F2A6FD2
gpg: Good signature from "Fedora Project <fedora at redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2
I read on an old fedoralegacy.org page that the reason the key is not
certified with a trusted signature is due to an old RPM bug. Is this
correct? It would be nice if the page mentioned something about this as
well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3266 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20080525/9a407188/attachment.bin>
More information about the Fedora-websites-list
mailing list