Date: Tue, 05 Apr 2016 17:32:11 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-doc@FreeBSD.org Subject: [Bug 208542] Signature file contains incorrect hash type description Message-ID: <bug-208542-9-VMTvoqI3WU@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-208542-9@https.bugs.freebsd.org/bugzilla/> References: <bug-208542-9@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208542 Benjamin Kaduk <bjk@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjk@FreeBSD.org Resolution|--- |Not A Bug Status|New |Closed --- Comment #1 from Benjamin Kaduk <bjk@FreeBSD.org> --- That is the hash used in the PGP signature process; it is unrelated to the hash used to generate the content that is being signed. That is, there is a file that you want to authenticate (the .iso image or similar); call that file "large". The signature file is generated by computing SHA256(large) and storing to another file; call it "CHECKSUM". Then, gnupg is used to sign the file CHECKSUM, producing a file with the content and a signature over the other content, call it "CHECKSUM.asc". CHECKSUM.asc contains some metadata describing the way in which the PGP signature was generated. That is a different step than performing sha256(large). You should be able to "gpg --verify CHECKSUM.SHA256-FreeBSD-10.3-RELEASE-amd64.asc" (if you have the appropriate key in your keyring) to verify the GPG signature, and then compare the SHA256sum contained in the file you verified against the SHA256sum of the file you downloaded. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-208542-9-VMTvoqI3WU>