[Bug 208542] Signature file contains incorrect hash type description
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Apr 5 17:32:11 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208542
Benjamin Kaduk <bjk at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bjk at FreeBSD.org
Resolution|--- |Not A Bug
Status|New |Closed
--- Comment #1 from Benjamin Kaduk <bjk at FreeBSD.org> ---
That is the hash used in the PGP signature process; it is unrelated to the hash
used to generate the content that is being signed.
That is, there is a file that you want to authenticate (the .iso image or
similar); call that file "large". The signature file is generated by computing
SHA256(large) and storing to another file; call it "CHECKSUM". Then, gnupg is
used to sign the file CHECKSUM, producing a file with the content and a
signature over the other content, call it "CHECKSUM.asc". CHECKSUM.asc
contains some metadata describing the way in which the PGP signature was
generated. That is a different step than performing sha256(large).
You should be able to "gpg --verify
CHECKSUM.SHA256-FreeBSD-10.3-RELEASE-amd64.asc" (if you have the appropriate
key in your keyring) to verify the GPG signature, and then compare the
SHA256sum contained in the file you verified against the SHA256sum of the file
you downloaded.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-doc
mailing list