В Втр, 28/02/2012 в 16:06 +0100, Horvath Andras пишет: > On Tue, 28 Feb 2012 13:25:54 +0000 > David Crick <[email protected]> wrote: > > > Signed SHA*SUMs did briefly appear on the main and > > mirror download sites for the installation ISOs. > > > > However, once the Live ISOs were uploaded, its > > (unsigned) SHA*SUMs were merged with the install > > ISOs' SHA*SUMs, and replaced with a single UNsigned > > file. > > > > I did retrieve a copy of the signed SHA256SUM file > > for the install ISOs before it was replaced, and include > > it below. The sha256sum hashes match the hashes > > that are in the replacement unsigned files, and the > > digital signature on the signed file included below did > > verify. (My mailer and/or this mailing list may mangle > > the below file - there should be NO line breaks between > > the end of the sha256sum, which is followed my two > > spaces, and then the ISO file name.) > > > > David. > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > 13dc08249d0c1e7885a9f304e6ae510737112bcf593e875a71b81feff1fd37a1 > > SL-62-x86_64-2012-02-06-Everything-DVD1.iso > > 5a039a53d8cba4b972c720ba58865b47656d6c1aa80b44b83aeb046983df92f0 > > SL-62-x86_64-2012-02-06-Everything-DVD2.iso > > d41c280f46c6239619384170df74639c19813a4a86f011fa6f15e546e8874279 > > SL-62-x86_64-2012-02-06-boot.iso > > 48b6af8d71c272591cea37c99e7c67d310b352ef00a5d4ac2b2563fbb90a2f9b > > SL-62-x86_64-2012-02-06-Install-DVD.iso > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.14 (GNU/Linux) > > > > iEYEARECAAYFAk8xQx8ACgkQsLQYPxkqfX1e8QCeMsza0Udokn050GFaMOhnUT9x > > DlYAn2ny/nM05iA8EDPhxEOHEHkwu2uo > > =ImgV > > -----END PGP SIGNATURE----- > > Thank you very much for the signed hash, I could successfully extract it > and check the signature! > > So you're saying that it is common that the developers sign the SHASUM > files? And now the files got overwritten? Could this be an accident > then? > > As I saw, the Live .iso files get updated from time to time, so it > would be practical to always have signed hash files.
Actually, checksums already implanted into images and can be verified by checkisomd5 utility. SHASUM is a some kind of checksum-bonus. > I'm not familiar with the whole process, I've been using SL only for a > couple of months now (gratefully thanks to the devs!), excuse any of my > inconvenient questions! > > Andras
