For current Rawhide releases like the F12 Alpha Test Compose: http://alt.fedoraproject.org/pub/alt/stage/12-Alpha-TC/ there are some CHECKSUM files along the ISO images. The problem is that the checksum type (md5, sha1, sha256, etc) is not mentioned inside the checksum file as a comment nor in the checksum filename (like "xxx-checksum.sha256" or likewise). This way the user has to guess what checksum algorithm to use for checking the image and also is not able to verify it in case the downloaded file is broken (because the checksum doesn't match, but you don't know if the file is downloaded wrong or you just tried wrong checksum algorithm). Please provide the checksum type information inside the file or in the filename. For example in a similar way you do it for official Fedora releases: http://mirror.karneval.cz/pub/linux/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-CHECKSUM
Hello, the Fedora 12 (Alpha) ISO image checksum files contain the type of checksum now. However, the hint says: Hash: SHA1 while the checksum used seems to be SHA256 (like e.g. for Fedora 11 as linked from the original bug description). I have verified the following 2 files available from: http://download.fedoraproject.org/pub/fedora/linux/releases/test/12-Alpha/Fedora/i386/iso/ using sha256sum: 219778f65cb1f897f992d87715cbe83f17255fa184ef6e1571584b9bb9160521 Fedora-12-Alpha-i386-DVD.iso 06d33ed79091a19e1504233c79888966c569b8677d22d174ab5c403681090899 Fedora-12-Alpha-i386-netinst.iso and I expect the same applies to all other Fedora 12 ISO image checksums according e.g. to the length of the hash strings.
This is due to a bug in our new signing server which is signing with sha1 instead of sha256. I'm working to fix that.
Got bitten by this today (Fedora 12 Alpha DVD image). Had to search and read forum posts to figure out the sha256sum command.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Unfortunately this problem appears even in final Fedora 12 release. In CHECKSUM files there is a line "Hash: SHA1" while all the hashes are SHA256 (tried for amd64).
Changing the file names to "something.sha256" would be an easy fix ? Or adding text at the beginning of signed content, stating the following were sha256 hashes, would give enough warning. There are many people who redownloaded the images because of this hash issue. A few easy solutions would save everyone's time and bandwidth of users & mirrors.
Yes, the CHECKSUM file content is totally misleading. The truth is: 1. .iso files are checksummed with SHA256. 2. "Hash: SHA1" applies to PGP signature. But: current situation is absolutely counter-intuitive. How can one deduce that algorythm is SHA256 instead of previously-familiar MD5 or SHA1? (Yes, that IS mentioned in https://fedoraproject.org/verify, but, honestly, how many people do know they have to read it?) Obviously there should be a comment about checksum type IN THE CHECKSUM FILE ITSELF. (And, even better, the file could mention the "sha256sum" command itself.)
BTW, root of the problem is absence of type-tags in hashes. If md5sum/sha1sum/sha256sum utilities could prefixed the checksums with "md5:", "sha1:", "sha256:" etc., any possibilities for confusion will be eleminated entirely.
I change the bug version back to rawhide. The same problem (unknown checksum type) applies also for F13 Alpha Test Compose: http://alt.fedoraproject.org/pub/alt/stage/13-Alpha.TC1/Fedora/x86_64/iso/
There are now two informative comments in the *-CHECKSUM files. # The image checksum(s) are generated with sha256sum. # The PGP checksum uses sha1sum. Thanks, Jesse! http://fedoraproject.org/get-prerelease?anF13a
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle. Changing version to '13'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
pungi-2.0.21-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/pungi-2.0.21-1.fc13
pungi-2.0.21-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pungi'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pungi-2.0.21-1.fc13
pungi-2.0.21-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.