The officially official Devuan Forum!

You are not logged in.

#1 2017-04-24 08:18:40

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

BAD sig with Devuan Jessie 1.0.0-RC

title: BAD sig with Devuan Jessie 1.0.0-RC
---

There is, apparently, an issue with PGP-verification of the media at:

https://files.devuan.org/devuan_jessie_rc/

I have tried to, be it alert the team about it, in case the fault lies at the server or humans at Devuan, be it get some help in case the issue is on the way or at my premises. The former looks to me more and more likely as I study this case.

Pls find more information in the thread on Devuan is Not Gnome ML starting from:

BAD sig with Devuan Jessie 1.0.0-RC
https://lists.dyne.org/lurker/message/2 … 59.en.html

as well as at:

BAD sig with Devuan Jessie 1.0.0-RC
https://www.croatiafidelis.hr/foss/cap/ … n-iso-sig/
(
where from, don't skip visiting:
https://www.croatiafidelis.hr/foss/devu … 78.en.html
which is the same, but complete email --in the dyne.org is the resent same message, just without attachment-- that was dropped from the list because it was 110k in size, due to the attachment:
dump_170423_1642_g0n.pcap (application/vnd.tcpdump.pcap)
)

I will pick up where I reached in those two internet places linked above.

This time, I need to leave mostly intact (I'll add a space in wget lines, so they don't be links, and other minor redacting) the following paste from my terminal, else I couldn't explain the cd'ing into directory with nearly two months old:

-rw-r--r-- 1 miro miro 2327 2016-04-29 11:07 SHA256SUMS
-rw-r--r-- 1 miro miro 1513 2016-04-29 11:09 SHA256SUMS.asc

hashes and sig that verify correctly (sic!). They are, obviously, from the beta2, IIRC. And what that fact proves, is that Jaromil's PGP public key that I had received/imported into my GnuPG is very likely the correct PGP key, and also that my GnuPG works correctly.

miro@g0n /some/where/Devuan $ history | grep SHA256SUMS | grep wget
  522  wget -nc https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
  527  wget -nc https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
  529  wget -nc https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
  538  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
  539  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
  595  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
  596  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
  611  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
  612  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
  760  wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
  765  history | grep SHA256SUMS | grep wget
miro@g0n /some/where/Devuan $ !611
wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
--2017-04-24 09:00:48--  https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
Resolving files.devuan.org... 104.236.249.173
Connecting to files.devuan.org|104.236.249.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1513 (1.5K) [application/octet-stream]
Saving to: ‘SHA256SUMS.asc’

SHA256SUMS.asc              100%[========================================>]   1.48K  --.-KB/s    in 0s      

2017-04-24 09:00:49 (11.0 MB/s) - ‘SHA256SUMS.asc’ saved [1513/1513]

miro@g0n /some/where/Devuan $  !612
 wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
--2017-04-24 09:00:51--  https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
Resolving files.devuan.org... 104.236.249.173
Connecting to files.devuan.org|104.236.249.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 621 [application/octet-stream]
Saving to: ‘SHA256SUMS’

SHA256SUMS                  100%[========================================>]     621  --.-KB/s    in 0s      

2017-04-24 09:00:51 (3.92 MB/s) - ‘SHA256SUMS’ saved [621/621]

miro@g0n /some/where/Devuan $ cd Prev/
miro@g0n /some/where/Devuan/Prev $ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Fri 29 Apr 2016 11:10:22 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: Good signature from "Denis Roio (Jaromil) <jaromil@dyne.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6113 D89C A825 C5CE DD02  C872 73B3 5DA5 4ACB 7D10
miro@g0n /some/where/Devuan/Prev $ ls -l SHA256SUMS.asc SHA256SUMS
-rw-r--r-- 1 miro miro 2327 2016-04-29 11:07 SHA256SUMS
-rw-r--r-- 1 miro miro 1513 2016-04-29 11:09 SHA256SUMS.asc
miro@g0n /some/where/Devuan/Prev $ cd ../
miro@g0n /some/where/Devuan $ ls -l SHA256SUMS.asc SHA256SUMS
-rw-r--r-- 1 miro miro  621 2017-04-21 17:56 SHA256SUMS
-rw-r--r-- 1 miro miro 1513 2017-04-22 09:40 SHA256SUMS.asc
miro@g0n /some/where/Devuan $ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Sat 22 Apr 2017 09:44:23 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: BAD signature from "Denis Roio (Jaromil) <jaromil@dyne.org>" [unknown]
miro@g0n /some/where/Devuan $ 

I have also made other easy/quick PGP verifying on:

Devuan Release Archive
https://files.devuan.org/devuan_jessie_rc/

I checked embedded/ and virtual/ and rechecked installer-iso/ which all contain files named SHA256SUMS SHA256SUMS.asc, by downloading/re-downloading those, and all the three pairs fail.

So, firstly I hope someone is working on investigating these findings of mine, and if they are true, fixing the issue.

Secondly, I'd kindly re-ask of Devuan devs just a simple confirmation, and I'll put it in a separate post, next.

Last edited by miroR (2017-04-24 08:32:28)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#2 2017-04-24 08:20:34

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: BAD sig with Devuan Jessie 1.0.0-RC

It really would be a good thing to reply to what I kindly asked in the bottom part of my email:

BAD sig with Devuan Jessie 1.0.0-RC
https://lists.dyne.org/lurker/message/2 … b0.en.html

and to reply with a PGP-signed email... It's a boolean value, true or false, that I'm asking about... But here is also fine.

So I'll repeat my query, by pasting from there.

Is this media:

devuan_jessie_1.0.0-RC_amd64_DVD.iso

from:

https://files.devuan.org/devuan_jessie_rc/

correct if its hash is:

f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso

?

Thank you!

Last edited by miroR (2017-04-24 08:22:02)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#3 2017-04-24 15:12:40

drjc
Member
Registered: 2017-04-24
Posts: 1  

Re: BAD sig with Devuan Jessie 1.0.0-RC

can confirm, getting bad signature when checking the SHA256SUMS file for devuan_jessie_rc/installer-iso

Offline

#4 2017-04-24 15:20:36

golinux
Administrator
Registered: 2016-11-25
Posts: 3,317  

Re: BAD sig with Devuan Jessie 1.0.0-RC

It's been fixed and is in the process of being automated to eliminate such errors in the future.

Offline

#5 2017-04-24 15:51:31

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 217  
Website

Re: BAD sig with Devuan Jessie 1.0.0-RC

golinux wrote:

It's been fixed and is in the process of being automated to eliminate such errors in the future.

Yeah, and I'm at peace. Dear golinux, did you read my praise of you in my follow-up to that Jaromil's email? wink

( I mean in the attachment that I published there under condition of invalidity, just to show what I was going through. )

I'm happy, and I hope that I can be forgiven for my not-so-strong doubt in how the project was handled that I expressed in that follow-up email, as well as some harshness...

I really saw the matter as urgent, and I went without sleep to give full information on the matter... And it is now full information, but I need to explain it so that less advanced users can understand it in details, such as extractions of the downloaded files from SSL-encrypted conversations...

Devuan is getting very strong! Eviva Devuan!

People, keep humble, don't relish in others' defeat, but be generous and understanding as long as not hurting FOSS and Devuan project... Keep humble, as there will be more fight. Guarrantied! (I feel it.)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

Board footer