[Bug 821793] New: SHA256 checksum errors in updates
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c0 Summary: SHA256 checksum errors in updates Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: All OS/Version: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Maintenance AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Ulrich.Windl@rz.uni-regensburg.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0 A moment ago I saw several checksum errors hwn getting updates from http://download.opensuse.org/update/12.3. For example (my own program prints these lines): [3] Getting 'http://download.opensuse.org/update/12.3/x86_64/pm-utils-ndiswrapper-1.4.1-2...' [1] invalid sha256 checksum for x86_64/pm-utils-ndiswrapper-1.4.1-26.5.1.x86_64.rpm~e1~: want: 661d5874501f8d2d8c125f2c891894c2b672f37a3ca5c31753a3fdd262d1e26b have: 9c671bd162cc9fbe8d363b15e172f922509d32d54a51eacf819edb97b2086c98 [3] Getting 'http://download.opensuse.org/update/12.3/x86_64/Mesa-32bit-9.0.2-34.6.1.x86_...' [1] invalid sha256 checksum for x86_64/Mesa-32bit-9.0.2-34.6.1.x86_64.rpm~J0~: want: c922ab60b74c6d41cd82b6ccdaefe3b440c52696525332d3aa1e8d4d5a7eaf03 have: 2e82765b32f2519274dd41185ead084b4f1f5ea780d126a3438e16a4c7d6b239 [3] Getting 'http://download.opensuse.org/update/12.3/x86_64/Mesa-libGL1-9.0.2-34.6.1.x86...' [1] invalid sha256 checksum for x86_64/Mesa-libGL1-9.0.2-34.6.1.x86_64.rpm~am~: want: 2213e33e311ba9ee2492c43cfbb2e71432e5ccdbe11bf8db916ff08f51fd7c87 have: 07cdb85dc628d95a3d8a8efda0421202ba17d0d9485fb8479ed3b96246802247 For reference, I was repodata derived from this signature (the files below pass signature test): gpg: Signature made Fr 24 Mai 2013 15:53:08 CEST using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 -rw-r--r-- 1 wiu09024 users 2428152 24. Mai 15:52 2a2d13185d2f135560b86bc6c0608cd997a586fce8ae85f328765cff8d87c344-other.xml.gz -rw-r--r-- 1 wiu09024 users 4535248 24. Mai 15:52 2ed369c6c192886dd9a1b2e756cc4504f50ebadba33ab5107e12a81165da4329-primary.xml.gz -rw-r--r-- 1 wiu09024 users 155 24. Mai 15:53 32563a2660399134bc76f392681f7eec44b594644cb5373c4059d35b5fe53881-suseinfo.xml.gz -rw-r--r-- 1 wiu09024 users 141493 24. Mai 15:52 36432aa49a5bdf474453dcf9511ceaad6a59330f508b8870d4f8e6e0e271ab14-updateinfo.xml.gz -rw-r--r-- 1 wiu09024 users 202267 24. Mai 15:53 4d36c39ea98748cd925e91e7e571da3286f4ff2a3dc17f4a978fc72444d1b020-deltainfo.xml.gz -rw-r--r-- 1 wiu09024 users 1601058 24. Mai 15:52 ba71444bfdbd015cfb4354031598b0083943d4da81506ab5252bcc40e4b4d771-appdata.xml.gz -rw-r--r-- 1 wiu09024 users 7174717 24. Mai 15:52 f39df04300551cbc510dd9906fa20c9963177577002917bda7b86ba76a53f955-filelists.xml.gz Reproducible: Always Steps to Reproduce: 1. Download current set of updates Actual Results: Checksums fail Expected Results: Chacksums match I hope your site wasn't attacked -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c1 --- Comment #1 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> 2013-05-28 08:00:37 CEST --- There was a repository update since reporting the problem, but the problem is still there (while other packages have no problem). Here are some recent examples: i586/pm-utils-1.4.1-26.5.1.i586.rpm: want: 13fe7b0999b1ae3f3bb01e9a944b7919ec60ad9a1635d39369d54d16c4907de7 have: a8be173fb177c9d77ec7b926a3720993760972043100ebba6d80fd47b0b0888f i586/pm-utils-ndiswrapper-1.4.1-26.5.1.i586.rpm: want: 97301353d4a993967f2cf9071959f36c8c1a122b8092960bb919cf56e7c11b4b have: 47a1a16f284bccd1a0e65cc6c812ff54249a4107ca9cd6a9a3869a09d10fc9fe i586/Mesa-9.0.2-34.6.1.i586.rpm: want: fb039dfa030593e72515add4af50eee4c0585074be895a5dd67133eafed7ee66 have: dc3af7ce725d39801aeb7fe86af72a993b5260617b6eeb7115b6a35a14bca86b [...many more...] x86_64/libxatracker-devel-1.0.0-34.6.1.x86_64.rpm: want: b50786df549d769c5f60553f4b82ae8588b30b69ccfa5eb9f981892ebf5ce042 have: b82e5258ee837d9fd952a4a81f0d8753e898897d4c540c701621e8e64020e81f -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c2 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com AssignedTo|bnc-team-screening@forge.pr |maintenance@opensuse.org |ovo.novell.com | --- Comment #2 from Marcus Meissner <meissner@suse.com> 2013-05-28 13:53:37 UTC --- should not happen -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c3 --- Comment #3 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> 2013-05-29 08:41:10 CEST --- (comment #2: "should not happen") Unfortunately it does. On concrete example: ---snip--- [1] invalid sha256 checksum for i586/pm-utils-1.4.1-26.5.1.i586.rpm~CE~: want: 13fe7b0999b1ae3f3bb01e9a944b7919ec60ad9a1635d39369d54d16c4907de7 have: a8be173fb177c9d77ec7b926a3720993760972043100ebba6d80fd47b0b0888f Bad checksum for 'i586/pm-utils-1.4.1-26.5.1.i586.rpm~CE~'! ---snip--- (the "~CE~" is a random temporary filename suffix until the checksum is verified) Examining this temporary file I see: -rw-r--r-- 1 user users 78221 29. Mai 08:24 SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ rpm --checksig SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~: rsa sha1 (md5) pgp md5 OK rpm -qip SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ Name : pm-utils Version : 1.4.1 Release : 26.5.1 Architecture: i586 Install Date: (not installed) Group : System/Base Size : 198446 License : GPL-2.0 Signature : RSA/SHA256, Mo 22 Apr 2013 16:53:45 CEST, Key ID b88b2fd43dbdc284 Source RPM : pm-utils-1.4.1-26.5.1.src.rpm Build Date : Sa 13 Apr 2013 15:35:11 CEST Build Host : build80 Relocations : (not relocatable) Packager : http://bugs.opensuse.org Vendor : openSUSE URL : http://pm-utils.freedesktop.org/wiki/ Summary : Tools to suspend and hibernate computers Description : pm-utils provide simple shell command line tools to suspend and hibernate computers that can be used to run vendor or distro supplied scripts on suspend and resume. Distribution: openSUSE 12.3 --- % sha256sum -b SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ a8be173fb177c9d77ec7b926a3720993760972043100ebba6d80fd47b0b0888f *SL-12.3-i386/i586/pm-utils-1.4.1-26.5.1.i586.rpm~Ej~ --- From SL-12.3/repodata/e6bb9a36bdd5436465a08904cd8dc4fdc39f9eed6506a60cb8b2890f91bdafe9-primary.xml.gz: <package type="rpm"> <name>pm-utils</name> <arch>i586</arch> <version epoch="0" ver="1.4.1" rel="26.5.1"/> <checksum type="sha256" pkgid="YES">13fe7b0999b1ae3f3bb01e9a944b7919ec60ad9a1635d39369d54d16c4907de7</checksum> <summary>Tools to suspend and hibernate computers</summary> [...] --- As you can see the indicated SHA256 checksum is extracted correctly from the primary.xml, and it is computed correctly for the downloaded file, but both checksums differ, effectively breaking the chain of trust: It's not certified that the downloaded file is an official update for openSUSE-12.3! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c4 --- Comment #4 from Marcus Meissner <meissner@suse.com> 2013-05-29 14:40:56 UTC --- so Mesa and pm-utils were updates that Adrian rereleased during a time where releaserequests were semi-broken. I deleted patchinfo.1579 and patchinfo.1592 from openSUSE:12.3:Update and rebuild the both projects fully to release them again. Are there others besides those two? (Can you run your test in some hours again to see if there other RPMs?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adrian@suse.com, | |bbrunner@suse.com AssignedTo|maintenance@opensuse.org |meissner@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=821793 https://bugzilla.novell.com/show_bug.cgi?id=821793#c5 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #5 from Marcus Meissner <meissner@suse.com> 2013-06-20 07:55:56 UTC --- we fixed them now by rereleasing. caused by force rerelease after we changed a key I think -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com