Download verification page on the fedoraproject Wiki needs to be updated

Todd Zullinger tmz at pobox.com
Wed Jun 17 23:59:45 UTC 2009 

Hi Anirban,

Anirban Brahmachari wrote:
> Take a close look at the 32 bit signature value on the page http://
> fedoraproject.org/en/verify and compare them with those on http://
> fedoraproject.org/en/keys . See the values marked in bold, red and
> underlined below.

Bold, red, and underlined don't show so well for me.  I use mutt in a
terminal for my mail.  I'm a text only type of guy. ;)

> I believe they should match up.

Actually, they shouldn't.  Allow me to explain why I believe that...

> On http://fedoraproject.org/en/verify :
> "4F2A6FD2 - Fedora 9 and earlier"
>
> On http://fedoraproject.org/en/keys :
> """
>
> RPM-GPG-KEY-fedora-8-and-9-primary
>
> pub   1024D/6DF2196F 2008-08-27
>       Key fingerprint = 4FFF 1F04 010D EDCA E203  591D 62AE C3DC 6DF2 196F
> uid                  Fedora (8 and 9) <fedora at fedoraproject.org>
> sub   4096g/9E198F60 2008-08-27
>
>   • Download: Fedora Project
>   • Download: keys.gnupg.net
>
> RPM-GPG-KEY-fedora-test-8-and-9-primary
>
> pub   1024D/DF9B0AE9 2008-08-27
>       Key fingerprint = C0E7 128E 9072 96CA AE31  78A2 8E69 3B4D DF9B 0AE9
> uid                  Fedora (8 and 9 testing) <fedora at fedoraproject.org>
> sub   4096g/80E34F98 2008-08-27
>
>   • Download: Fedora Project
>   • Download: keys.gnupg.net
>
> """
>

> See the slight difference ?

I do.  The reason for this is that the original key used to sign
Fedora 9 and earlier releases was exposed during an infrastructure
intrusion in August of 2008¹.  New keys were generated and used to
resign all previous Fedora 8 and 9 packages.  Those keys are 6DF2196F
and DF9B0AE9.  However, the SHA1SUM files for these releases were not
resigned for various reasons.  So the information on fp.o/verify is
still correct for verifying Fedora 9 and earlier release .iso files.

¹ http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

> The other values on these 2 pages match up properly.  I understand
> that it is for an older release of the OS and does not matter much
> but then, I once had to downgrade from Fedora 10 to Fedora 9 because
> the new version would lock up on boot on some of the machines that I
> manage.

I think it does matter for any supported release, so thanks for
reporting it.  If the information was incorrect we'd want to fix it.
Fortunately, in just a few weeks Fedora 9 will reach the end of its
life and the confusing key information can be removed from fp.o/verify
and the keys details moved to the 'obsolete' section on fp.o/keys.

> Thank you for the enthusiasm and fast response. I hope that I won't
> be labelled as a nitpicker ;-)

You say that as if being a nitpicker is a bad thing. :)

When it comes to important details like GPG keys and .iso
verification, it's quite good to be picky.

Please don't hesitate to correct me if I'm wrong on any of the above.
As much as I'd like to claim otherwise, I am still mistaken on
occasion. ;)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Entropy just isn't what it used to be.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-websites-list/attachments/20090617/95e26dd6/attachment.sig>

More information about the Fedora-websites-list mailing list