Improperly formatted CHECKSUM for Fedora 12

[BillGradwohl]

The CHECKSUM file I downloaded for Fedora 12 contains a header line indicating the checksums are SHA1 when in fact they are SHA256.

[sej7278]

yeah i noticed that, so sha1sum -c or sha256sum -c doesn't work, so you have to do sha256sum for each file and compare it to the CHECKSUM file manually.

[aleph]

The CHECKSUM file is clear-signed using GPG. SHA-1 is the algorithm used to calculate the hash value of the message which contain the SHA-256 hash of the disk image, not the disk image itself.

[BillGradwohl]

My post was to alert the folks who put the CHECKSUM file together to fix it because lots of people that download it won't realize what's wrong and conclude their iso download is somehow broken when in fact its a slip up in the CHECKSUM file.

Simply by replacing the text "SHA1" with "SHA256" in the CHECKSUM file solves the problem.

[aleph]

The appearance of "SHA1" before the message is automatically generated by GnuPG.

To quote gpg manpage

Quote:

INTEROPERABILITY
GnuPG tries to be a very flexible implementation of the OpenPGP stan-
dard. In particular, GnuPG implements many of the optional parts of the
standard, such as the SHA-512 hash, and the ZLIB and BZIP2 compression
algorithms. It is important to be aware that not all OpenPGP programs
implement these optional algorithms and that by forcing their use via
the --cipher-algo, --digest-algo, --cert-digest-algo, or --compress-
algo options in GnuPG, it is possible to create a perfectly valid
OpenPGP message, but one that cannot be read by the intended recipient.

Some OpenPGP software can't read anything signed using alternative digest algorithms except SHA-1, and I think that's why the devs use it. Anyway, changing the digest algorithm specification without actually changing the signature does result in malformed message.

[icy-flame]

This level of sloppiness is unacceptable!

I wonder how many people like me (re)downloaded the image several times, thinking the download is corrupted, what a waste of everyone's time and bandwidth.

[aleph]

Quote:

Originally Posted by icy-flame

This level of sloppiness is unacceptable!

I wonder how many people like me (re)downloaded the image several times, thinking the download is corrupted, what a waste of everyone's time and bandwidth.

And why don't you just take a few minutes learn the basics about download verification? https://fedoraproject.org/en/verify

This page is linked directly in the "Get Fedora" download page.

[BillGradwohl]

I've used Fedora before there was a Fedora in name. I thought the top of the CHECKSUM file told you what the lines below were produced with. I even wrote a script years ago to run an isocheck assuming I could figure out what utility to use to run the check by looking at the top of the file.

If it said SHA1 I'd use the sha1sum utility. If it said MD5, I'd is the md5sum utility.

Apparently my analysis was wrong, but my script worked for years, but not today.

I learned something. Thank You.

BUT

How is someone supposed to know which utility to run against the iso to match it with the contents of the CHECKSUM file ? I went to https://fedoraproject.org/en/verify and read it, but without that information, the downloaded files provide no way to know what utility to use to reproduce the hashes in the CHECKSUM file.

These types of little mysteries shouldn't exist. It makes Fedora & consequently Linux less friendly to users and that's not a good thing. Something, probably the CHECKSUM file, should state how to use the CHECKSUM file by providing the instructions right in it.

Just my 2 cents.

[scottro]

Ok, Aleph, he has a point. It was suppose to have been fixed last release. (However, there was a sticky, posted by Dan, pointing out that you should use SHA256.)

In fairness though, most people will first download, then run the checksum. It's poorly laid out, it should, according to Jesse Keating, definitely be fixed by F13. The fellow on Distrowatch made the same error, which he fixed (apparently, <modest cough>), after reading my post about it on the testing list.

My guess is that it's one of those relatively small things that slipped through the cracks, but won't next time.

Honestly, I don't think it's fair of us to say, Well read the docs before checking, or, You should have realized that there were too many numbers--shucks the human mind sees anything over 5 as many, I believe, and it's a difference of something like 50 something to 70 something numbers. (That figure could easily be wrong.)

You go to the site, you see SHA1 and that's what you run on the downloaded file. When it fails several times, you google, and THEN you see the problem.

In a perfect world, everyone should read the install docs first, but it's not going to happen, and it's a minor thing that one might skip over if looking through the install docs.

And yes, it is frustrating, and the devs realize that, and will get it fixed.

[aleph]

Yeah, I was sounding too harsh. I apologize
@BillGradwohl

Quote:

These types of little mysteries shouldn't exist. It makes Fedora & consequently Linux less friendly to users and that's not a good thing. Something, probably the CHECKSUM file, should state how to use the CHECKSUM file by providing the instructions right in it.

I guess most users simply don't bother to do any verification at all But that's my guess. I thought the users who are tech-savvy enough to verify the image should also be tech-savvy enough to grok OpenPGP messages and at least to RTFM. I didn't notice the compatibility concern until you mentioned that the new CHECKSUM could break old scripts. Time to update those scripts along with the OS anyway

Actually I think it's a good idea of putting instructions in the CHECKSUM file itself. the sha*sum family of programs will automatically throw away anything that's not in the valid "<HASH> <FLAG><FILENAME>" format when operating in "checking" mode, so the human-readable instructions won't interfere with the programs.

@scottro

Quote:

It's poorly laid out, it should, according to Jesse Keating, definitely be fixed by F13. The fellow on Distrowatch made the same error, which he fixed (apparently, <modest cough>), after reading my post about it on the testing list.

My guess is that it's one of those relatively small things that slipped through the cracks, but won't next time.

Any info on how the devs are going to fix it?

Re-signing the message also using digest algorithm SHA256 (gpg --digest-algo SHA256 --clearsign --blahblahblah), so that they agree "by accident" and users don't notice? (IIRC that was what they did with F11)

Or putting instruction/explanation in the message itself?

Or redesign the "Get Fedora" page so that users have to read through the verification doc, complete a crash course, take a quiz, achieve 60%+ score in 5 minutes, solve a captcha, solve a recaptcha, and *then* be presented with the randomly generated once-only download link

Edit: And one thought... what about changing the thread title to something more appropriate? The CHECKSUM file are not "improperly formatted". It is a valid, well-formed OpenPGP message as per RFC 4880 (link: http://tools.ietf.org/html/rfc4880#section-7). Just somewhat confusing.

[scottro]

No, I had simler things in mind. (I bet that you guessed that.)

Right now, the layout looks something like
BEGIN PGP SIGNED MESSAGE
HASH SHA1

Then the checksums.

So probably something more like
BEGIN PGP SIGNED MESSAGE
HASH SHA1

SHA256 Checksums (or something like that)
and then the list of checksums.

I don't think they have to go crazy over it with

Note that here, it says SHA1. Now, that could confuse you, but see, if you'd clicked the link on how to verify, you wouldn't be confused.

These are SHA256 checksums. Gotcha. Next click this (rickrolll url).

Something like that would probably be too much.

So, I think it's a simple fix, just put SHA256 in there somewhere above the checksums. Maybe even put SHA1 (for pgp signature) or something, but at any rate, a relatively simple mention.

[Replicant10000]

Quote:

Originally Posted by aleph

I guess most users simply don't bother to do any verification at all But that's my guess. I thought the users who are tech-savvy enough to verify the image should also be tech-savvy enough to grok OpenPGP messages and at least to RTFM.

Hey now, I downloaded mine twice before learning the ISO needed SHA256 instead of SHA1, and I'm pretty well informed about tech matters myself.

Plus which, the "M" points people directly to SHA-1.

http://docs.fedoraproject.org/readme...ing-files.html

Quote:

Then select the SHA-1 algorithm for calculation

and it infers such at other points:

Quote:

To check the files using the command prompt, you need to download the program sha1sum.exe.

Methinks the manual itself needs to be updated too? I see that the Linux verification procedure uses the correct algorithm, but a user downloading/burning/verifying from Windows might click through and get the wrong idea.

[scottro]

Hrrm, apparently so, at least in the CD burning section.

However, if you go to fedora project's page and go to get Fedora, then click the verify link, it's correct.

https://fedoraproject.org/en/verify

A bug report should probably be filed. Anyone here have time?
(Not me today, I fear).

I'll make a quick post to the test list, and maybe someone can fix it.

[RahulSundaram]

Hi,

There is a very bright note on top clarifying this.

https://fedoraproject.org/en/verify

[ken.logos]

Anyway, I have downloaded F12 two times.
Since I got the same output of sha1sum -c -w Fedora-12-i386-DVD.iso, I just checked this forum site.
The first downloaded file was correct one. Just waste 3.0G.

Hmm...