In the procedures available and the words used in communication , i am at a loss of understanding.

I did the download and did burn the image. yes i should have checked it before the burn.

going into: verify download at this page: http://fedoraproject.org/en/get-fedora-options

there are these words: Once you have downloaded an ISO, verify it for security and integrity. To verify your ISO, start by downloading the proper CHECKSUM file into the same directory as the ISO:

clicking on the appropriate link brings up a HTML page of what seems to appear to be keys.
Question: do these keys need to be placed into a plain text file, and then into the same directory as the download.

at this page: https://fedoraproject.org/en/verify
there are the words at the beginning of the verify procedure working with the command line;
Next, import Fedora1s GPG keys(s):


this is the suggested string: curl https://fedoraproject.org/static/fedora.gpg | gpg --import


$ curl https://fedoraproject.org/static/fedora.gpg | gpg --import
-bash: gpg: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
67 24213 67 16384 0 0 31241 0 --:--:-- --:--:-- --:--:-- 86231
curl: (23) Failed writing body (0 != 16384)


Question: is there a simple basic check sum available for the command line. and some keys to check against.
it has been a while since the last time i did a check sum, and at this time of this post i did not go back into the files and re edit my brain cells on the procedures and commands.
But what we have here just seems a bit to much over the top and does not work.
any suggestions or options in getting around the rock with what is available.
Thank you.

[ ... ]


this is the suggested string: curl https://fedoraproject.org/static/fedora.gpg | gpg --import


$ curl https://fedoraproject.org/static/fedora.gpg | gpg --import
-bash: gpg: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
67 24213 67 16384 0 0 31241 0 --:--:-- --:--:-- --:--:-- 86231
curl: (23) Failed writing body (0 != 16384)


[ ... ]



Do you have gnupg package installed? Install that using yum and this procedure will work! It is just that your gnupg package is missing which is why you are having the error.

They really overcomplicate it. It's one of my pet peeves, in the category of it's far more fun to complain about it than offer to fix it.

But, seriously, Fedora seems to be the only one of hundreds of distributions that doesn't just say, here's the checksum, run this command against it.

So...

You go where you go to download it. As an example


http://mirrors.kernel.org/fedora/releases/16/Fedora/x86_64/iso/

And decide to download the install dvd

If you look at that link I just posted, there's a file with CHECKSUM in the name.
# The image checksum(s) are generated with sha256sum.

ca4b4404cbbd5c2f03dac41349b947a10e18c1a8d944c10b8a a28efe1fc7320c *Fedora-16-x86_64-DVD.iso
a51885ea0e91471beea6af2e682d778e40f34de939e3752eec 5ab24e56bca80b *Fedora-16-x86_64-netinst.iso

Run the command

sha256sum Fedora-16-x86-64-DVD.iso

(in the place where you downloaded the iso file)

If the result matches, you're good. If it doesn't match, there was a problem.

I usually just check the first 4 and last 4 numbers to see if they match--I've never run into a case where those 8 digits matched and it was a bad download.

I totally agree. I do the something similar. Sometimes, I check the keys from the website with the generated keys of iso using meld. Most of the times, though, I just compare a part of the string!

Probably the simplest is to download the CHECKSUM file and run sha256sum -c *CHECKSUM. Nothing manual! :)

There's a saying amongst the officers: If a job's worth doing, it's worth doing well. If it's not worth doing, give it to Rimmer.

If you download the files from an official mirror then the checksum itself might protect you from corrupted or aborted downloads, but it does not protect you against any malicious people who alter the image and give you a new checksum for the altered image.

This is why the checksum file is signed with pgp.

So if you're paranoid you have to verify the integrity of the checksum file first. This will assure that this is really an official release by the Fedora Project and nobody tampered with it afterwards ;-)