Bug 515715 - Checksum type not mentioned for Rawhide image releases
Checksum type not mentioned for Rawhide image releases
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: David Cantrell
Bill Nottingham
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-05 09:22 EDT by Kamil Páral
Modified: 2014-03-16 23:19 EDT (History)
7 users (show)

See Also:
Fixed In Version: pungi-2.0.21-1.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-04 02:15:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kamil Páral 2009-08-05 09:22:41 EDT
For current Rawhide releases like the F12 Alpha Test Compose:
http://alt.fedoraproject.org/pub/alt/stage/12-Alpha-TC/
there are some CHECKSUM files along the ISO images. The problem is that the checksum type (md5, sha1, sha256, etc) is not mentioned inside the checksum file as a comment nor in the checksum filename (like "xxx-checksum.sha256" or likewise). This way the user has to guess what checksum algorithm to use for checking the image and also is not able to verify it in case the downloaded file is broken (because the checksum doesn't match, but you don't know if the file is downloaded wrong or you just tried wrong checksum algorithm).

Please provide the checksum type information inside the file or in the filename. For example in a similar way you do it for official Fedora releases:
http://mirror.karneval.cz/pub/linux/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-CHECKSUM
Comment 1 Vlastimil Stein 2009-09-02 18:27:37 EDT
Hello,
the Fedora 12 (Alpha) ISO image checksum files contain the type of checksum now.
However, the hint says:
Hash: SHA1

while the checksum used seems to be SHA256 (like e.g. for Fedora 11 as linked from the original bug description).

I have verified the following 2 files available from:
http://download.fedoraproject.org/pub/fedora/linux/releases/test/12-Alpha/Fedora/i386/iso/

using sha256sum:
219778f65cb1f897f992d87715cbe83f17255fa184ef6e1571584b9bb9160521 Fedora-12-Alpha-i386-DVD.iso
06d33ed79091a19e1504233c79888966c569b8677d22d174ab5c403681090899  Fedora-12-Alpha-i386-netinst.iso

and I expect the same applies to all other Fedora 12 ISO image checksums
according e.g. to the length of the hash strings.
Comment 2 Jesse Keating 2009-09-09 17:03:39 EDT
This is due to a bug in our new signing server which is signing with sha1 instead of sha256.  I'm working to fix that.
Comment 3 Syam 2009-10-10 23:33:21 EDT
Got bitten by this today (Fedora 12 Alpha DVD image). Had to search and read forum posts to figure out the sha256sum command.
Comment 4 Bug Zapper 2009-11-16 06:15:32 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Kamil Páral 2009-11-18 02:41:45 EST
Unfortunately this problem appears even in final Fedora 12 release. In CHECKSUM files there is a line "Hash: SHA1" while all the hashes are SHA256 (tried for amd64).
Comment 6 Anonymous account 2009-11-22 09:55:59 EST
Changing the file names to "something.sha256" would be an easy fix ?

Or adding text at the beginning of signed content, stating the following were sha256 hashes, would give enough warning. There are many people who redownloaded the images because of this hash issue. A few easy solutions would save everyone's time and bandwidth of users & mirrors.
Comment 7 Dmitry Bolkhovityanov 2009-11-29 05:35:58 EST
Yes, the CHECKSUM file content is totally misleading.

The truth is: 
1. .iso files are checksummed with SHA256.
2. "Hash: SHA1" applies to PGP signature.

But: current situation is absolutely counter-intuitive.  How can one deduce that algorythm is SHA256 instead of previously-familiar MD5 or SHA1?  (Yes, that IS mentioned in https://fedoraproject.org/verify, but, honestly, how many people do know they have to read it?)

Obviously there should be a comment about checksum type IN THE CHECKSUM FILE ITSELF.
(And, even better, the file could mention the "sha256sum" command itself.)
Comment 8 Dmitry Bolkhovityanov 2009-11-29 23:36:17 EST
BTW, root of the problem is absence of type-tags in hashes.
If md5sum/sha1sum/sha256sum utilities could prefixed the checksums with "md5:", "sha1:", "sha256:" etc., any possibilities for confusion will be eleminated entirely.
Comment 9 Kamil Páral 2010-02-12 04:43:57 EST
I change the bug version back to rawhide. The same problem (unknown checksum type) applies also for F13 Alpha Test Compose:
http://alt.fedoraproject.org/pub/alt/stage/13-Alpha.TC1/Fedora/x86_64/iso/
Comment 10 Steve Tyler 2010-03-10 11:22:04 EST
There are now two informative comments in the *-CHECKSUM files.

# The image checksum(s) are generated with sha256sum.
# The PGP checksum uses sha1sum.

Thanks, Jesse!

http://fedoraproject.org/get-prerelease?anF13a
Comment 11 Bug Zapper 2010-03-15 08:44:53 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle.
Changing version to '13'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Fedora Update System 2010-04-14 19:36:38 EDT
pungi-2.0.21-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/pungi-2.0.21-1.fc13
Comment 13 Fedora Update System 2010-04-16 19:42:48 EDT
pungi-2.0.21-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pungi'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pungi-2.0.21-1.fc13
Comment 14 Fedora Update System 2010-05-04 02:15:29 EDT
pungi-2.0.21-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.