LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: digital signatures for SHASUMS, where?
From:	Oleg Sadov <[log in to unmask]>
Reply To:	Oleg Sadov <[log in to unmask]>
Date:	Tue, 28 Feb 2012 19:36:48 +0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (62 lines)

В Втр, 28/02/2012 в 16:06 +0100, Horvath Andras пишет:
> On Tue, 28 Feb 2012 13:25:54 +0000
> David Crick <[log in to unmask]> wrote:
> 
> > Signed SHA*SUMs did briefly appear on the main and
> > mirror download sites for the installation ISOs.
> > 
> > However, once the Live ISOs were uploaded, its
> > (unsigned) SHA*SUMs were merged with the install
> > ISOs' SHA*SUMs, and replaced with a single UNsigned
> > file.
> > 
> > I did retrieve a copy of the signed SHA256SUM file
> > for the install ISOs before it was replaced, and include
> > it below.  The sha256sum hashes match the hashes
> > that are in the replacement unsigned files, and the
> > digital signature on the signed file included below did
> > verify.  (My mailer and/or this mailing list may mangle
> > the below file - there should be NO line breaks between
> > the end of the sha256sum, which is followed my two
> > spaces, and then the ISO file name.)
> > 
> >    David.
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > 13dc08249d0c1e7885a9f304e6ae510737112bcf593e875a71b81feff1fd37a1
> > SL-62-x86_64-2012-02-06-Everything-DVD1.iso
> > 5a039a53d8cba4b972c720ba58865b47656d6c1aa80b44b83aeb046983df92f0
> > SL-62-x86_64-2012-02-06-Everything-DVD2.iso
> > d41c280f46c6239619384170df74639c19813a4a86f011fa6f15e546e8874279
> > SL-62-x86_64-2012-02-06-boot.iso
> > 48b6af8d71c272591cea37c99e7c67d310b352ef00a5d4ac2b2563fbb90a2f9b
> > SL-62-x86_64-2012-02-06-Install-DVD.iso
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.14 (GNU/Linux)
> > 
> > iEYEARECAAYFAk8xQx8ACgkQsLQYPxkqfX1e8QCeMsza0Udokn050GFaMOhnUT9x
> > DlYAn2ny/nM05iA8EDPhxEOHEHkwu2uo
> > =ImgV
> > -----END PGP SIGNATURE-----
> 
> Thank you very much for the signed hash, I could successfully extract it
> and check the signature!
> 
> So you're saying that it is common that the developers sign the SHASUM
> files? And now the files got overwritten? Could this be an accident
> then?
>
> As I saw, the Live .iso files get updated from time to time, so it
> would be practical to always have signed hash files.

Actually, checksums already implanted into images and can be verified by
checkisomd5 utility. SHASUM is a some kind of checksum-bonus.

> I'm not familiar with the whole process, I've been using SL only for a
> couple of months now (gratefully thanks to the devs!), excuse any of my
> inconvenient questions!
> 
> Andras

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV