Ask Your Question

# checksum questions

I am on Fedora 25 with broadband Ethernet (not WiFi), getting ready to clean install Fedora 26 Workstation. So I downloaded the Netinstall Images Fedora-Workstation-netinst-x86_64-26-1.5.iso Now I am trying to follow the checksum instruction on https://getfedora.org/en/verify

The instructions say:

The CHECKSUM file should have a good signature from one of the following keys:
64DAB85D - Fedora 26


Am I supposed to do something with the key?

What directory should the line commands in the instructions be executed from? The following commands where executed from the same directory as the Fedora-Workstation-netinst-x86_64-26-1.5.iso

My output did not say "valid". What did I do wrong?

[wolfv@localhost ~/Downloads]
$curl https://getfedora.org/static/fedora.gpg | gpg --import % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0gpg: key 81B46521: "Fedora (24) <fedora-24-primary@fedoraproject.org>" not changed gpg: key 030D5AED: "Fedora Secondary (24) <fedora-24-secondary@fedoraproject.org>" not changed gpg: key FDB19C98: "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>" not changed gpg: key E372E838: "Fedora 25 Secondary (25) <fedora-25-secondary@fedoraproject.org>" not changed 100 18521 100 18521 0 0 29196 0 --:--:-- --:--:-- --:--:-- 29166 gpg: key 64DAB85D: "Fedora 26 Primary (26) <fedora-26-primary@fedoraproject.org>" not changed gpg: key 3B921D09: "Fedora 26 Secondary (26) <fedora-26-secondary@fedoraproject.org>" not changed gpg: key F5282EE4: "Fedora 27 (27) <fedora-27@fedoraproject.org>" not changed gpg: key 0608B895: "EPEL (6) <epel@fedoraproject.org>" not changed gpg: key 352C64E5: "Fedora EPEL (7) <epel@fedoraproject.org>" not changed gpg: Total number processed: 9 gpg: unchanged: 9 [wolfv@localhost ~/Downloads]$ gpg --verify-files *-CHECKSUM
gpg: Signature made Fri 07 Jul 2017 09:13:31 AM MDT using RSA key ID 64DAB85D
gpg: lookup_hashtable failed: eof
gpg: Good signature from "Fedora 26 Primary (26) <fedora-26-primary@fedoraproject.org>"
gpg: lookup_hashtable failed: eof
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E641 850B 77DF 4353 78D1  D7E2 812A 6B4B 64DA B85D
[wolfv@localhost ~/Downloads]
$sha256sum -c *-CHECKSUM Fedora-Workstation-netinst-x86_64-26-1.5.iso: OK sha256sum: Fedora-Workstation-Live-x86_64-26-1.5.iso: No such file or directory Fedora-Workstation-Live-x86_64-26-1.5.iso: FAILED open or read sha256sum: Fedora-Workstation-ostree-x86_64-26-1.5.iso: No such file or directory Fedora-Workstation-ostree-x86_64-26-1.5.iso: FAILED open or read sha256sum: WARNING: 19 lines are improperly formatted sha256sum: WARNING: 2 listed files could not be read  edit retag close merge delete ## 1 Answer Sort by » oldest newest most voted The CHECKSUM file should have a good signature from one of the following keys: 64DAB85D - Fedora 26  Use this information when running the gpg --verify-files. $ gpg --verify-files *-CHECKSUM
gpg: Signature made Fri 07 Jul 2017 09:13:31 AM MDT using RSA key ID 64DAB85D


Notice the value 64DAB85D is the same.

What this means is that the CHECKSUM file has been signed by whoever owns the key with this signature. So if it has been signed by a certificate with a different ID, you got the wrong iso file.

You did nothing wrong. The CHECKSUM file is validated and OK. Your .iso file is also valid and OK. The CHECKSUM files contains checksums for other files you did not download; and that is why you some error messages about not able to open them. This is not a problem.

more

## Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

## Stats

Asked: 2017-07-15 08:47:53 -0500

Seen: 370 times

Last updated: Jul 15 '17