Bug 1485017
| Summary: | Fingerprint of key used to sign Fedora-Workstation-26-1.5-x86_64-CHECKSUM is output with an extra space between groups | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | fropeter |
| Component: | fedora-repos | Assignee: | Dennis Gilmore <dennis> |
| Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | dennis, kellin, kevin, mboddu, pbrobinson |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-26 19:02:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've filed https://pagure.io/fedora-websites/issue/707 for the websites team to look at this. Please do follow along there for their solution. Thanks for reporting! |
Description of problem: First: I suspect that this is not an issue to worry about, but to be absolutely shure, I'm reporting this. Second: This might be an error in gpg; I would like this to be decided by someone who has more knowledge about keys, deployment and such matters. Running gpg --verify-files *-CHECKSUM on Fedora-Workstation-netinst-x86_64-26-1.5.iso succeeds. However, the key used is reported to have a fingerprint that differs from what it should be by an extra space character between two groups of characters. The key was downloaded with curl https://getfedora.org/static/fedora.gpg | gpg --import Version-Release number of selected component (if applicable): Fedora-Workstation-netinst-x86_64-26-1.5.iso Fedora-Workstation-26-1.5-x86_64-CHECKSUM How reproducible: This is run on Fedora 24, no updates available. (I know it's EOL, but I don't think that is relevant unless this is a gpg bug that is fixed in later versions. I couldn't find any bug reports relevant to this.) Steps to Reproduce: 1. $ LANG=en gpg --verify-files *-CHECKSUM gpg: Signature made Fri Jul 7 17:13:31 2017 CEST using RSA key ID 64DAB85D gpg: Good signature from "Fedora 26 Primary (26) <fedora-26-primary>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E641 850B 77DF 4353 78D1 D7E2 812A 6B4B 64DA B85D $ 2. Compare fingerprint to Fedora 26 primary fingerprint on website at https://getfedora.org/en/keys/ Actual results: E641 850B 77DF 4353 78D1 D7E2 812A 6B4B 64DA B85D ^ Extra space here Expected results: E641 850B 77DF 4353 78D1 D7E2 812A 6B4B 64DA B85D Additional info: I believe that the spaces are just for readability, and that they are not included in the actual fingerprints. Still, with keys being as important as they are, any confusion regarding their validity should be removed.