On Mon, Nov 21, 2022 at 12:18 AM AV via test <test(a)lists.fedoraproject.org>
wrote:
On Sat, 2022-11-19 at 19:33 -0800, Samuel Sieb wrote:
> On 11/18/22 16:11, AV via test wrote:
> > Following info on
https://getfedora.org/en/security/
> >
> > gpgv --keyring ./fedora.gpg *-CHECKSUM
> > gpgv: not a detached signature
> >
> > I think a little correction is warranted.
>
> You need to give more specific information about what exactly you
> tried.
> I followed the instructions there and it worked as expected.
I discovered today what happened. I had downloaded both
Fedora-Workstation and Fedora-Everything together with
their CHECKSUMS into the same folder.
If you then try "gpgv --keyring ./fedora.gpg *-CHECKSUM"
it results in this error message.
Remove one of the two from the folder and it works as
expected.
But as yet it is not clear to me why this error message
meant for another situation.
Can you file a bug or a pull request at
https://pagure.io/fedora-web/websites/ ? I think the command should be
modified to:
$ gpgv --keyring ./fedora.gpg CHECKSUM_FILE
and the description should state to replace CHECKSUM_FILE with an actual
checksum file name. I agree that currently it's confusing because it looks
like it can handle processing multiple checksum files together (which is
the case for sha256sum, but not for gpgv).
Thanks!