LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: digital signatures for SHASUMS, where?
From:	Horvath Andras <[log in to unmask]>
Reply To:	Horvath Andras <[log in to unmask]>
Date:	Tue, 28 Feb 2012 16:06:52 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

On Tue, 28 Feb 2012 13:25:54 +0000
David Crick <[log in to unmask]> wrote:

> Signed SHA*SUMs did briefly appear on the main and
> mirror download sites for the installation ISOs.
> 
> However, once the Live ISOs were uploaded, its
> (unsigned) SHA*SUMs were merged with the install
> ISOs' SHA*SUMs, and replaced with a single UNsigned
> file.
> 
> I did retrieve a copy of the signed SHA256SUM file
> for the install ISOs before it was replaced, and include
> it below.  The sha256sum hashes match the hashes
> that are in the replacement unsigned files, and the
> digital signature on the signed file included below did
> verify.  (My mailer and/or this mailing list may mangle
> the below file - there should be NO line breaks between
> the end of the sha256sum, which is followed my two
> spaces, and then the ISO file name.)
> 
>    David.
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 13dc08249d0c1e7885a9f304e6ae510737112bcf593e875a71b81feff1fd37a1
> SL-62-x86_64-2012-02-06-Everything-DVD1.iso
> 5a039a53d8cba4b972c720ba58865b47656d6c1aa80b44b83aeb046983df92f0
> SL-62-x86_64-2012-02-06-Everything-DVD2.iso
> d41c280f46c6239619384170df74639c19813a4a86f011fa6f15e546e8874279
> SL-62-x86_64-2012-02-06-boot.iso
> 48b6af8d71c272591cea37c99e7c67d310b352ef00a5d4ac2b2563fbb90a2f9b
> SL-62-x86_64-2012-02-06-Install-DVD.iso
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEARECAAYFAk8xQx8ACgkQsLQYPxkqfX1e8QCeMsza0Udokn050GFaMOhnUT9x
> DlYAn2ny/nM05iA8EDPhxEOHEHkwu2uo
> =ImgV
> -----END PGP SIGNATURE-----

Thank you very much for the signed hash, I could successfully extract it
and check the signature!

So you're saying that it is common that the developers sign the SHASUM
files? And now the files got overwritten? Could this be an accident
then?

As I saw, the Live .iso files get updated from time to time, so it
would be practical to always have signed hash files.

I'm not familiar with the whole process, I've been using SL only for a
couple of months now (gratefully thanks to the devs!), excuse any of my
inconvenient questions!

Andras

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV