https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c3 --- Comment #3 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> 2013-05-29 08:41:10 CEST --- (comment #2: "should not happen") Unfortunately it does. On concrete example: ---snip--- [1] invalid sha256 checksum for i586/pm-utils-1.4.1-26.5.1.i586.rpm~CE~: want: 13fe7b0999b1ae3f3bb01e9a944b7919ec60ad9a1635d39369d54d16c4907de7 have: a8be173fb177c9d77ec7b926a3720993760972043100ebba6d80fd47b0b0888f Bad checksum for 'i586/pm-utils-1.4.1-26.5.1.i586.rpm~CE~'! ---snip--- (the "~CE~" is a random temporary filename suffix until the checksum is verified) Examining this temporary file I see: -rw-r--r-- 1 user users 78221 29. Mai 08:24 SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ rpm --checksig SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~: rsa sha1 (md5) pgp md5 OK rpm -qip SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ Name : pm-utils Version : 1.4.1 Release : 26.5.1 Architecture: i586 Install Date: (not installed) Group : System/Base Size : 198446 License : GPL-2.0 Signature : RSA/SHA256, Mo 22 Apr 2013 16:53:45 CEST, Key ID b88b2fd43dbdc284 Source RPM : pm-utils-1.4.1-26.5.1.src.rpm Build Date : Sa 13 Apr 2013 15:35:11 CEST Build Host : build80 Relocations : (not relocatable) Packager : http://bugs.opensuse.org Vendor : openSUSE URL : http://pm-utils.freedesktop.org/wiki/ Summary : Tools to suspend and hibernate computers Description : pm-utils provide simple shell command line tools to suspend and hibernate computers that can be used to run vendor or distro supplied scripts on suspend and resume. Distribution: openSUSE 12.3 --- % sha256sum -b SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ a8be173fb177c9d77ec7b926a3720993760972043100ebba6d80fd47b0b0888f *SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ --- From SL-12.3/repodata/e6bb9a36bdd5436465a08904cd8dc4fdc39f9eed6506a60cb8b2890f91bdafe9-primary.xml.gz: <package type="rpm"> <name>pm-utils</name> <arch>i586</arch> <version epoch="0" ver="1.4.1" rel="26.5.1"/> <checksum type="sha256" pkgid="YES">13fe7b0999b1ae3f3bb01e9a944b7919ec60ad9a1635d39369d54d16c4907de7</checksum> <summary>Tools to suspend and hibernate computers</summary> [...] --- As you can see the indicated SHA256 checksum is extracted correctly from the primary.xml, and it is computed correctly for the downloaded file, but both checksums differ, effectively breaking the chain of trust: It's not certified that the downloaded file is an official update for openSUSE-12.3! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.