Description of problem: I am trying to bootstrap a Fedora installation from Windows. I would like to offer the following feedback based on my experience. 1. It would be much more convenient if there were a Windows utility for computing checksums available from the Fedora website. Yes, there are links to other websites that offer such tools, but this significantly reduces the amount of trust one can place in the tools, especially since they are not typically mainstream, high profile sites. The page (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html) even has a prominent warning: "CAVEAT EMPTOR The Fedora Project and Red Hat Inc.. have no control over external sites such as the ones listed above, or the programs they provide" in reference to links to Windows checksum tools. 2. From the home page I first clicked on "Get Fedora" in the sidebar. After downloading the disc image, I clicked on "Verify your download" which led me to (http://fedoraproject.org/en/verify). At the top of this page was a link for Windows users with the text "Windows user? Follow these instructions instead." that led to (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html). But this page for Windows users was not self contained as the word "instead" implied, since it did not have links to the checksum files. It would clarify navigation to have all the information needed to verify the download on a single page, first presenting the checksum files, and then offering a choice between Linux or Windows for instructions on how to compute the checksum. Version-Release number of selected component (if applicable): The fedoraproject.org site as of the submission of this bug, and Fedora 11.
I'm going to take this for action and see if we can come up with a best fix. I don't know that we'll be able to provide Windows software for validating the checksum, however.
Thanks for looking at this Eric. It still gets brought up to webmaster regularly. Is building and hosting a Windows executable for sha*sum too difficult or is it forbidden by policy/legal? Just curious, as I don't have any Windows boxes to care about :).
MinGW may make it possible to create such a thing, and there should be no policy or legal bar to hosting a Windows executable for purposes of verifying a download of Fedora media. CC'ing rjones, an oracle of MinGW knowledge, for a more learned answer.
Don't know about the legal issues, but technically it's trivial to create a Windows sha*sum binary from a Fedora build system -- that's the whole point of the Fedora MinGW project! Probably it's as easy as: i686-pc-mingw32-gcc sha256sum.c -o sha256sum.exe but maybe the source will need a few small changes. CCing epienbro.
I talked to Jim Meyering about this and confirmed with my own tests that coreutils is quite easy to cross-compile, particularly if you just want the simple programs like sha*sum. I got it working by doing: $ mingw32-configure $ make -C lib $ make -C src sha256sum.exe (taking an axe to a few bits that didn't compile), and after about 10 minutes I ended up with: coreutils-7.2$ ll src/sha256sum.exe -rwxrwxr-x 1 rjones rjones 224656 2009-10-30 18:35 src/sha256sum.exe coreutils-7.2$ file src/sha256sum.exe src/sha256sum.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit Copying that file over to another machine that has Wine installed on it gives me: $ wine ./sha256sum.exe /etc/motd e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 */etc/motd
I should probably add that the SHA256 sum does agree with the one from the equivalent Linux native utility :-)
@Richard Can you provide the .exe binary for the 256 version and attach it to this ticket? I want to play with mingw some but I want to make sure we have something that works for the webpage. Thanks!
Awesome work Rich! I suspected this would be possible with MinGW, but I didn't think you'd make it look so trivial to achieve. ;)
Created attachment 366853 [details] sha256sum.exe (Windows binary) Here's the binary that I built in the earlier comment. Although really we shouldn't be pushing unknown binaries around the place, but should make this a regular part of the build process for the live CD or whatever.
Created attachment 366854 [details] coreutils 7.2 patch Just for completeness, here is the patch to coreutils 7.2 to get it to cross compile. (Recall the command you would use is: mingw32-configure && make) It's a complete "hatchet job" on the source, not suitable for upstreaming. And the reason it's against the old coreutils 7.2 was just because that's what I happened to have on my local machine. To do this properly will require a few fairly small fixes to the configure.ac to get it to work properly in the cross- compile mode, or else you can "seed" correct choices for autotools by setting ac_* environment variables appropriately.
Just noting that the F12 version of the doc has a link to a cross-compiled version and a GUI tool for validating on Windows: http://docs.fedoraproject.org/readme-burning-isos/en-US-draft.html#sect-Burning_ISO_images_to_disc-Validating_the_Files But it would no doubt be nice to host a tool ourselves that we could really vouch for :)
(In reply to comment #11) > Just noting that the F12 version of the doc has a link to a cross-compiled > version and a GUI tool for validating on Windows: > > http://docs.fedoraproject.org/readme-burning-isos/en-US-draft.html#sect-Burning_ISO_images_to_disc-Validating_the_Files > > But it would no doubt be nice to host a tool ourselves that we could really > vouch for :) Yeah, I think that is the request. I'll update the readme-burning-isos guide as soon as we get all that straightened out.
Created attachment 367118 [details] coreutils-7.6.patch Updated patch which will cross-compile the checksum programs of coreutils 7.6. (1) Download coreutils 7.6 from ftp://ftp.gnu.org/gnu/coreutils/ (2) Apply this patch to the unpacked source. (3) Make sure you have up to date 'mingw32-gcc' package installed. (Maybe some other mingw32-* libraries are needed too?) (4) Do: ./BUILD (5) If it builds successfully you should see: -rwxrwxr-x 1 rjones rjones 247972 2009-11-02 11:52 ./src/sha1sum.exe -rwxrwxr-x 1 rjones rjones 320902 2009-11-02 11:52 ./src/sha512sum.exe -rwxrwxr-x 1 rjones rjones 215510 2009-11-02 11:52 ./src/cksum.exe -rwxrwxr-x 1 rjones rjones 256902 2009-11-02 11:52 ./src/sha224sum.exe -rwxrwxr-x 1 rjones rjones 320902 2009-11-02 11:52 ./src/sha384sum.exe -rwxrwxr-x 1 rjones rjones 256902 2009-11-02 11:52 ./src/sha256sum.exe -rwxrwxr-x 1 rjones rjones 243869 2009-11-02 11:52 ./src/md5sum.exe
Rich, Many thanks for your incredibly helpful patch and build script. I played with the the other week and then didn't have time to get it finalized prior to the release of F-12. In the process, I noticed that the build failed without mingw32-gettext. But with that, the binary had a requirement on libintl-8.dll. I further patched src/system.h in coreutils so that it will build without gettext. I believe passing --disable-nls worked as well, but I didn't experiment all that long. In order to have something which can be independently verified, I made a mingw32-sha256sum package that can be built in koji. The spec file, srpm, and a scratch build are available at: http://tmz.fedorapeople.org/specs/mingw32-sha256sum.spec http://tmz.fedorapeople.org/packages/mingw32-sha256sum-7.6-1.fc12.src.rpm http://koji.fedoraproject.org/koji/taskinfo?taskID=1820614 Comments or corrections for this package would be most welcome. I've used it to verify Fedora-11-i686-Live-CHECKSUM as well as generation an identical sum for the corresponding Fedora-11-i686-Live.iso. The Fedora-12 *-CHECKSUM files don't fare as well because they lack the * to specify that they should be checked in binary mode. Adding that, I can verify Fedora-12-i686-Live-CHECKSUM. I only tested this on Windows XP, 32 bit. Testing on other versions and architectures would be great.
(In reply to comment #14) > Rich, > > Many thanks for your incredibly helpful patch and build script. I played with > the the other week and then didn't have time to get it finalized prior to the > release of F-12. In the process, I noticed that the build failed without > mingw32-gettext. But with that, the binary had a requirement on libintl-8.dll. > I further patched src/system.h in coreutils so that it will build without > gettext. I believe passing --disable-nls worked as well, but I didn't > experiment all that long. You can check the DLLs required by a random *.exe file by doing: $ i686-pc-mingw32-objdump -p /usr/i686-pc-mingw32/sys-root/mingw /bin/sha256sum.exe | grep 'DLL.Name' DLL Name: libintl-8.dll DLL Name: KERNEL32.dll DLL Name: msvcrt.dll DLL Name: msvcrt.dll So I note that libintl-8.dll is still required. Maybe that's because I had mingw32-gettext installed when I built the SRPM. Of the DLLs above, Windows users won't have libintl-8.dll, but they will have all the others. > In order to have something which can be independently verified, I made a > mingw32-sha256sum package that can be built in koji. The spec file, srpm, and > a scratch build are available at: > > http://tmz.fedorapeople.org/specs/mingw32-sha256sum.spec > http://tmz.fedorapeople.org/packages/mingw32-sha256sum-7.6-1.fc12.src.rpm > http://koji.fedoraproject.org/koji/taskinfo?taskID=1820614 Spec file looks fine. I also rebuilt your *.src.rpm file locally and verified that it works, apart from the libintl-8.dll problem. I should just say again that the patch (comment 13) is a big hack and likely to break on future versions of coreutils. > Comments or corrections for this package would be most welcome. I've used it > to verify Fedora-11-i686-Live-CHECKSUM as well as generation an identical sum > for the corresponding Fedora-11-i686-Live.iso. > > The Fedora-12 *-CHECKSUM files don't fare as well because they lack the * to > specify that they should be checked in binary mode. Adding that, I can verify > Fedora-12-i686-Live-CHECKSUM. > > I only tested this on Windows XP, 32 bit. Testing on other versions and > architectures would be great. If it works on Windows XP / 32, then it should work everywhere ...
(In reply to comment #15) > You can check the DLLs required by a random *.exe file by doing: > > $ i686-pc-mingw32-objdump -p /usr/i686-pc-mingw32/sys-root/mingw > /bin/sha256sum.exe | grep 'DLL.Name' > DLL Name: libintl-8.dll > DLL Name: KERNEL32.dll > DLL Name: msvcrt.dll > DLL Name: msvcrt.dll > > So I note that libintl-8.dll is still required. Maybe that's > because I had mingw32-gettext installed when I built the SRPM. > Of the DLLs above, Windows users won't have libintl-8.dll, but > they will have all the others. The libintl-8.dll dependency can also be eliminated by using the mingw32-gettext-static package. You might need to use the '-static' libtool parameter to perform a static compilation.
> You can check the DLLs required by a random *.exe file by doing: Ahh, handy. Don't go showing me too many things like that, or I'll start building all sorts of MingW tools to play with. ;) The packages I built locally and via koji don't have the lilbintl-8.dll dep (mingw32-gettext isn't on my system nor in the buildroot): i686-pc-mingw32-objdump -p mingw32-sha256sum-7.6-1.fc12.noarch/usr/i686-pc-mingw32/sys-root/mingw/bin/sha256sum.exe | grep -i 'DLL Name:' DLL Name: KERNEL32.dll DLL Name: msvcrt.dll DLL Name: msvcrt.dll > I should just say again that the patch (comment 13) is a big > hack and likely to break on future versions of coreutils. Perhaps future coreutils versions will build without as much patching for MingW? For now though, this is a huge improvement over asking users to download binaries that we have no control over, "big hack" or not. I think I just need to talk to some infrastructure folks about getting a build that we can keep around for others to verify against, then upload the resulting sha256sum.exe somewhere like fp.o/static/tools/sha256sum.exe. Then we can update various bits of documentation and have a drink.
Is there anyone working on this, or an interest in doing so? If not, can we close the bug?
Not as far as I know. The current advice points to some external tools: https://fedoraproject.org/en/verify -> https://docs.fedoraproject.org/en-US/Fedora/18/html/Burning_ISO_images_to_disc/sect-Burning_ISO_images_to_disc-Validating_the_Files-Validating_in_the_Windows_Graphical_Environment.html I don't have Windows so I can't tell you if these tools really work, nor if it is still worth replacing the external tools with a *.exe file that Fedora builds. But since the bug has been open for aeons and no one has stepped up to do the work, I suggest closing it. It can always be reopened.
This has gone stale. If the issue still needs work, let's discuss it on a list somewhere.