Hi All,
I am trying to verify the authenticity of a fedora iso file.
They mentioned the steps here
I followed the same steps:
Getting this error.
Usually in other Distro ISO verification, we will download public sign keys and they use gpg --verify to check the file.
But this seems different. Not sure where I am making the mistake.
Please help me to verify the authenticity of the CHECKSUM file I received along with ISO.
Base machine: Arch Linux
gpg version: 2.2.41
fedora.gpg கோப்போ அல்லது Fedora-Spins-39-1.5-x86_64-CHECKSUM கோப்போ சரியாக பதிவிறக்கம் செய்யப்படவில்லை என்று தெரிகிறது. இந்த இரண்டு கோப்புகளையும் மீண்டும் பதிவிறக்கம் செய்து பின் முயற்சித்து பார்க்கவும்.
இது, என் கணினியில் முயற்சி செய்தபோது வந்த தகவல்
$ mkdir fedora
$ cd fedora
$ curl -L -O 'https://download.fedoraproject.org/pub/fedora/linux/releases/39/Spins/x86_64/iso/Fedora-Sway-Live-x86_64-39-1.5.iso'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1420M 100 1420M 0 0 47.7M 0 0:00:29 0:00:29 --:--:-- 50.7M
$ curl -L -O 'https://download.fedoraproject.org/pub/fedora/linux/releases/39/Spins/x86_64/iso/Fedora-Spins-39-1.5-x86_64-CHECKSUM'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2562 100 2562 0 0 1236 0 0:00:02 0:00:02 --:--:-- 2257
$ curl -L -O 'https://fedoraproject.org/fedora.gpg'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7032 100 7032 0 0 12060 0 --:--:-- --:--:-- --:--:-- 12082
$ gpgv --keyring ./fedora.gpg Fedora-Spins-39-1.5-x86_64-CHECKSUM
gpgv: Signature made Friday 03 November 2023 03:53:24 PM CET
gpgv: using RSA key E8F23996F23218640CB44CBE75CF5AC418B8E74C
gpgv: Good signature from "Fedora (39) <fedora-39-primary@fedoraproject.org>"
$ sha256sum -c Fedora-Spins-39-1.5-x86_64-CHECKSUM 2>/dev/null | grep Sway
Fedora-Sway-Live-x86_64-39-1.5.iso: OK
$
Thanks @mohan43u for spending your time on checking this.
I will try downloading them again and check.
Last time I have downloaded the spins in alt downloads through torrent.
Will try again and update here
I again downloaded with torrents but still got same error.
[Fedora-Sway-Live-x86_64-39] ls
fedora.gpg
Fedora-Spins-39-1.5-x86_64-CHECKSUM
Fedora-Sway-Live-x86_64-39-1.5.iso
[Fedora-Sway-Live-x86_64-39] gpgv --keyring ./fedora.gpg Fedora-Spins-39-1.5-x86_64-CHECKSUM
gpgv: no valid OpenPGP data found.
gpgv: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
But when I downloaded them with curl as you did, It worked fine.
[fedora] curl -L -O "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Spins/x86_64/iso/Fedora-Sway-Live-x86_64-39-1.5.iso"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1420M 0 0 5491k 0 0:04:24 0:04:24 --:--:-- 5962k
[fedora] curl -L -O "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Spins/x86_64/iso/Fedora-Spins-39-1.5-x86_64-CHECKSUM"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
100 2562 100 2562 0 0 971 0 0:00:02 0:00:02 --:--:-- 2941
[fedora] curl -O https://fedoraproject.org/fedora.gpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7032 100 7032 0 0 8586 0 --:--:-- --:--:-- --:--:-- 8586
[fedora] ls
fedora.gpg Fedora-Spins-39-1.5-x86_64-CHECKSUM Fedora-Sway-Live-x86_64-39-1.5.iso
[fedora] gpgv --keyring ./fedora.gpg Fedora-Spins-39-1.5-x86_64-CHECKSUM
gpgv: Signature made Fri 03 Nov 2023 08:23:24 PM IST
gpgv: using RSA key E8F23996F23218640CB44CBE75CF5AC418B8E74C
gpgv: Good signature from "Fedora (39) <fedora-39-primary@fedoraproject.org>"
[fedora]
I don’t know why torrent download is like this. The internet and connectivity didn’t drop inbetween.
I downloaded Linux mint ISO in torrent only but it got verified correctly.
Maybe a issue in my Torrent client or a issue in torrent file.
Thank you very much @mohan43u for suggesting the curl method fix.
When I compared both curl and torrent downloaded file sizes
I see torrent checksum file is less size(1680 bytes). But curl output has 2562 bytes.
[fedora] ls -l
total 1454536
-rw-r--r-- 1 paramesh paramesh 7032 Dec 9 07:55 fedora.gpg
-rw-r--r-- 1 paramesh paramesh 2562 Dec 9 07:54 Fedora-Spins-39-1.5-x86_64-CHECKSUM
-rw-r--r-- 1 paramesh paramesh 1489426432 Dec 9 07:52 Fedora-Sway-Live-x86_64-39-1.5.iso
[fedora] ls -l ../Fedora-Sway-Live-x86_64-39/
total 1454536
-rw-r--r-- 1 paramesh paramesh 7032 Dec 9 07:43 fedora.gpg
-rw-r--r-- 1 paramesh paramesh 1680 Dec 9 07:21 Fedora-Spins-39-1.5-x86_64-CHECKSUM
-rw-r--r-- 1 paramesh paramesh 1489426432 Dec 9 07:26 Fedora-Sway-Live-x86_64-39-1.5.iso
So I checked the contents
The torrent checksum file only contains the checksum value and it doesn’t have signature
Whereas the curl downloaded file contained the checksum value and signature attached in the end.
I think the followed attached and detached signature file architecture. But forgot to add .sig file in torrent contents.
For newbies like me who are hearing attached and detached signatures. Please checkout this blog post from RedHat
So this is why the gpgv is cannot detect any signature in torrent downloaded version.
so displaying syntax error saying should having .sig file in front again and again.
Thanks to Fedora and @mohan43u for teaching me a new stuff today!
