On Mon, 2022-11-21 at 09:39 +0100, Kamil Paral wrote:
On Mon, Nov 21, 2022 at 12:18 AM AV via test test@lists.fedoraproject.org wrote:
On Sat, 2022-11-19 at 19:33 -0800, Samuel Sieb wrote:
On 11/18/22 16:11, AV via test wrote:
Following info on https://getfedora.org/en/security/
gpgv --keyring ./fedora.gpg *-CHECKSUM gpgv: not a detached signature
I think a little correction is warranted.
You need to give more specific information about what exactly you tried. I followed the instructions there and it worked as expected.
I discovered today what happened. I had downloaded both Fedora-Workstation and Fedora-Everything together with their CHECKSUMS into the same folder. If you then try "gpgv --keyring ./fedora.gpg *-CHECKSUM" it results in this error message. Remove one of the two from the folder and it works as expected. But as yet it is not clear to me why this error message meant for another situation.
Can you file a bug or a pull request at https://pagure.io/fedora-web/websites/ ? I think the command should be modified to: $ gpgv --keyring ./fedora.gpg CHECKSUM_FILE and the description should state to replace CHECKSUM_FILE with an actual checksum file name. I agree that currently it's confusing because it looks like it can handle processing multiple checksum files together (which is the case for sha256sum, but not for gpgv).
Well, the point of the asterisk is to make it so you can just copy-and- paste and run the command and it will find whatever (assumed single) CHECKSUM file is present - it saves the user having to manually modify the command.