Subject: | |
From: | |
Reply To: | |
Date: | Tue, 28 Feb 2012 19:36:48 +0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
В Втр, 28/02/2012 в 16:06 +0100, Horvath Andras пишет:
> On Tue, 28 Feb 2012 13:25:54 +0000
> David Crick <[log in to unmask]> wrote:
>
> > Signed SHA*SUMs did briefly appear on the main and
> > mirror download sites for the installation ISOs.
> >
> > However, once the Live ISOs were uploaded, its
> > (unsigned) SHA*SUMs were merged with the install
> > ISOs' SHA*SUMs, and replaced with a single UNsigned
> > file.
> >
> > I did retrieve a copy of the signed SHA256SUM file
> > for the install ISOs before it was replaced, and include
> > it below. The sha256sum hashes match the hashes
> > that are in the replacement unsigned files, and the
> > digital signature on the signed file included below did
> > verify. (My mailer and/or this mailing list may mangle
> > the below file - there should be NO line breaks between
> > the end of the sha256sum, which is followed my two
> > spaces, and then the ISO file name.)
> >
> > David.
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > 13dc08249d0c1e7885a9f304e6ae510737112bcf593e875a71b81feff1fd37a1
> > SL-62-x86_64-2012-02-06-Everything-DVD1.iso
> > 5a039a53d8cba4b972c720ba58865b47656d6c1aa80b44b83aeb046983df92f0
> > SL-62-x86_64-2012-02-06-Everything-DVD2.iso
> > d41c280f46c6239619384170df74639c19813a4a86f011fa6f15e546e8874279
> > SL-62-x86_64-2012-02-06-boot.iso
> > 48b6af8d71c272591cea37c99e7c67d310b352ef00a5d4ac2b2563fbb90a2f9b
> > SL-62-x86_64-2012-02-06-Install-DVD.iso
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.14 (GNU/Linux)
> >
> > iEYEARECAAYFAk8xQx8ACgkQsLQYPxkqfX1e8QCeMsza0Udokn050GFaMOhnUT9x
> > DlYAn2ny/nM05iA8EDPhxEOHEHkwu2uo
> > =ImgV
> > -----END PGP SIGNATURE-----
>
> Thank you very much for the signed hash, I could successfully extract it
> and check the signature!
>
> So you're saying that it is common that the developers sign the SHASUM
> files? And now the files got overwritten? Could this be an accident
> then?
>
> As I saw, the Live .iso files get updated from time to time, so it
> would be practical to always have signed hash files.
Actually, checksums already implanted into images and can be verified by
checkisomd5 utility. SHASUM is a some kind of checksum-bonus.
> I'm not familiar with the whole process, I've been using SL only for a
> couple of months now (gratefully thanks to the devs!), excuse any of my
> inconvenient questions!
>
> Andras
|
|
|