Signature verification
 

I have downloaded Mageia 4 and it says that after downloading I should verify the signatures. I burned the ISO to a DVD and explored that but no luck. Please could someone tell me how I verify a signature. This must be basic stuff but it stumped me.

Where are there instructions that tell you to verify the signatures? I went to the Mageia 4 downloads page and they don't say anything about signatures. When I download the torrent file there is no signature files bundled with it (only hash checksums). Usually, when software is signed it is using PGP/GPG or S/MIME. Share your source. Help me help you.

The following is the page from Mageia:

Your download of Mageia 4.1 64bit DVD should start within a few seconds (download size is about 3.5 GB). If the download does not start, click here.

This mageia.mirror.garr.it download mirror is located in Roma, Italia (IT). If it does not work well for you, check out these other mirrors.

As soon as your download is complete, you should check that the signatures match:

$ md5sum Mageia-4.1-x86_64-DVD.iso
c1e996006ee03356e827dcfd02b060a7

$ sha1sum Mageia-4.1-x86_64-DVD.iso
3a257f7748f11ab725eff98b7d5160c68bd2aa65
If signatures do not match, DO NOT use this ISO. Double-check and try to download again.

This only turns up after clicking the download button. Thanks for you help.

It is actually telling you how to do it, which I have hilighted in red.

Simply open a terminal (shell, command line, whatever your terminology may be) and cd into the same directory where you downloaded the iso file, then type either of the commands shown...

...then hit the enter key. It will then calculate the checksum of the iso, may take a few seconds, and will display a long string of characters on the next line. If the string of characters matches the ones shown in the download page (I have hilighted blue) then the file is OK. If they are different then the file is corrupted.

It is sufficient to check either the md5sum or the sha1sum. They will both be correct or they will both be incorrect.

That's poor wording on their part. Making sure the checksums match is what they should say because those downloads are not signed. In any case, as astrogeek pointed out you need to open a terminal and run those commands to verify the checksums.

A tip since they have torrent download also you can veriy the downloaded iso file and will download only the damaged portions of it. And not whole of it again.

And you can check whether the hash match exactly instead of matching with your eyes you can do in a shell:

Just copy hash1 and hash2 appropriately.

I am not a torrent user, but that sounds like a very useful idea!

The red must be quoted I think...

But even copy/paste is relatively a lot of trouble to compare the checksums.

In reality it is sufficient to simply compare the first few and last few characters which can be done with a quick look. It would be exceedingly rare to have more than 4-5 leading characters match for a corrupted iso. The difference in the checksums is not proportional to the amount of difference in the files. Even a single bit of difference will radically alter the checksum.

Not needed. As it has no characters that neeed to be escaped. OK and FAIL would be counted as a single argument to echo command.

Ah! You are correct.

I find that my old, but hopefully good habits, sometimes become confused with strict requirements of the languages.

But still, a lot of trouble to go to for checksum comparison.

Thanks for your replies!