On Sat, 30 Oct 2021 at 03:14, Tim via users <users@lists.fedoraproject.org> wrote:
> Hi, > > Just trying to figure out how to verify the Fedora 34 mate spin. > > Looking through the pages you get after going to the mate spin, it > suggests <https://spins.fedoraproject.org/en/verify>, the instructions > aren't coherent, and don't work as written. > > There's what looks like it's simply a heading saying Verify 64-bit iso, > but that's actually a clickable link to download the checksum file. > Not well written. > > Then it says to import the GPG keys. That works. > > $ curl https://getfedora.org/static/fedora.gpg | gpg --import > > Then it sends you to another page to verify the GPG keys. > > https://getfedora.org/en/security/ > > It gives the same curl command as above. > You are meant to download one -CHECKSUM file from the list on the right side of the page: % curl https://getfedora.org/static/fedora.gpg | gpg --import % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 14180 100 14180 0 0 43496 0 --:--:-- --:--:-- --:--:-- 43496 gpg: key F55AD3FB5323552A: public key "Fedora (37) < fedora-37-prim...@fedoraproject.org>" imported gpg: key 999F7CBF38AB71F4: public key "Fedora (36) < fedora-36-prim...@fedoraproject.org>" imported gpg: key DB4639719867C58F: public key "Fedora (35) < fedora-35-prim...@fedoraproject.org>" imported gpg: key 1161AE6945719A39: "Fedora (34) <fedora-34-prim...@fedoraproject.org>" not changed gpg: key 49FD77499570FF31: "Fedora (33) <fedora-33-prim...@fedoraproject.org>" not changed gpg: key 7BB90722DBBDCF7C: "Fedora (iot 2019) < fedora-iot-2...@fedoraproject.org>" not changed gpg: key 21EA45AB2F86D6A1: "Fedora EPEL (8) <e...@fedoraproject.org>" not changed gpg: key 6A2FAEA2352C64E5: "Fedora EPEL (7) <e...@fedoraproject.org>" not changed gpg: key 3B49DF2A0608B895: "EPEL (6) <e...@fedoraproject.org>" not changed gpg: Total number processed: 9 gpg: imported: 3 gpg: unchanged: 6 % wget2 https://getfedora.org/static/checksums/34/iso/Fedora-Workstation-34-1.2-x86_64-CHECKSUM [0] Downloading ' https://getfedora.org/static/checksums/34/iso/Fedora-Workstation-34-1.2-x86_64-CHECKSUM' ... Saving 'Fedora-Workstation-34-1.2-x86_64-CHECKSUM' HTTP response 200 OK [ https://getfedora.org/static/checksums/34/iso/Fedora-Workstation-34-1.2-x86_64-CHECKSUM ] % gpg --verify-files *-CHECKSUM gpg: Signature made Fri 23 Apr 2021 04:37:01 PM ADT gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpg: Good signature from "Fedora (34) <fedora-34-prim...@fedoraproject.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 This fingerprint agrees with the one for Fedora-Workstation-34 in the https://getfedora.org/en/security/ page. > > Asks you to verify the checksum file is valid, but since you haven't > downloaded the checksum file you can't. It imported it directly into > GPG. There's no instructions that you need to *separately* download > the keys and verify them (if you want to verify them). And, really, > you should do that step before importing them. And, you're importing > unknown untrusted keys, anyway. > > You are supposed to verify the signature against the ones at the bottom of the page > Trying to follow that page is a hotchpotch of reading through the page, > scrolling up and down, referring to something written below the > instructions, going back to reread the instructions, and flick between > pages. Fair enough to put the quick list of steps you'll go through at > the top, but put the full sequence, *in* the sequence that you'll do > it, further down the page. > > Then going back to the verify page to try and figure out how to verify > the mate spin. The wildcard "sha256sum -c *-CHECKSUM" command gives > you way too much output, there's lots of failed notices about the other > spins you don't have, with yours buried somewhere in the middle. > Surely there's a better way to filter that down to just show the output > of files its actually checking, rather than all the files it looked > for. > Sounds like you have "-CHECKSUM" files for lots of spins. The wildcard pattern is easy for someone who has only one .iso and -CHECKSUM file, but it is also easy to check just the file you want to use. I've gone through three different webpages just to verify one download. > Good security is not easy. Bad actors rely on the human tendency to take shortcuts. -- George N. White III
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
