Date: Tue, 05 Apr 2016 17:32:11 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-doc@FreeBSD.org Subject: [Bug 208542] Signature file contains incorrect hash type description Message-ID: <bug-208542-9-VMTvoqI3WU@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-208542-9@https.bugs.freebsd.org/bugzilla/> References: <bug-208542-9@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208542 Benjamin Kaduk <bjk@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjk@FreeBSD.org Resolution|--- |Not A Bug Status|New |Closed --- Comment #1 from Benjamin Kaduk <bjk@FreeBSD.org> --- That is the hash used in the PGP signature process; it is unrelated to the = hash used to generate the content that is being signed. That is, there is a file that you want to authenticate (the .iso image or similar); call that file "large". The signature file is generated by compu= ting SHA256(large) and storing to another file; call it "CHECKSUM". Then, gnupg= is used to sign the file CHECKSUM, producing a file with the content and a signature over the other content, call it "CHECKSUM.asc". CHECKSUM.asc contains some metadata describing the way in which the PGP signature was generated. That is a different step than performing sha256(large). You should be able to "gpg --verify CHECKSUM.SHA256-FreeBSD-10.3-RELEASE-amd64.asc" (if you have the appropriate key in your keyring) to verify the GPG signature, and then compare the SHA256sum contained in the file you verified against the SHA256sum of the f= ile you downloaded. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-208542-9-VMTvoqI3WU>