diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index e5c1649f57..0218dc59fd 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -1797,10 +1797,10 @@
- Finding proper values for md5 and
- sha256 checksums can involve some work.
- Initially, you should locate any available signatures from
- the upstream source (i.e. md5,
+ Proper values for md5 and
+ sha256 checksums might be available
+ with other signatures on the download page for the upstream
+ source (e.g. md5,
sha1, sha256,
GPG, and so forth).
Because the OpenEmbedded build system only deals with
@@ -1809,18 +1809,19 @@
- After you have verified as many signatures as you can,
- you can use a "build-fail" method that retrieves the exact
- sha256sum and md5sum
- checksums you need.
- To use the "build-fail" method, comment the
- SRC_URI statements out that provide the
- checksums and then attempt to build the software.
- The build will produce an error for each missing checksum
- and as part of the error message provide the correct checksum
- string.
- Once you have the correct checksums, simply copy them into your
- recipe for a subsequent build.
+ If no SRC_URI checksums are specified
+ when you attempt to build the recipe, the build will produce
+ an error for each missing checksum.
+ As part of the error message, the build system provides
+ the checksum string corresponding to the fetched file.
+ Once you have the correct checksums, you can copy and paste
+ them into your recipe and then run the build again to continue.
+
+ As mentioned, if the upstream source provides signatures
+ for verifying the downloaded source code, you should
+ verify those manually before setting the checksum values
+ in the recipe and continuing with the build.
+