[opensuse-factory] broken shasums for 42.2 isos?
wget http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D... wget http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D... shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted Is this expected? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Is this expected?
Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise. This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/20/2016 09:48 PM, Karl Cheng wrote:
Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it.
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it. It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware. -- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Nov 21 2016, Aleksa Sarai <asarai@suse.de> wrote:
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it.
It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware.
The signature could also be detached. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday, 21 November 2016 20:21 Aleksa Sarai wrote:
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it.
It's actually similar to earlier situation when we used to have one SHA1SUMS file for the whole directory (except you got different warnings about files not found). As Andreas pointed out, we could put the signature into a separate file (say .sha256.sign) but I wonder if there would be an advantage compared to a detached signature of the iso image itself. Michal Kubeček -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Nov 21, 2016 at 12:53 PM, Michal Kubecek <mkubecek@suse.cz> wrote:
As Andreas pointed out, we could put the signature into a separate file (say .sha256.sign) but I wonder if there would be an advantage compared to a detached signature of the iso image itself.
Exactly. Detached signature is hash + proof that it has not been tampered which is exactly what we have here - but detached signature has advantage that it makes it clear what it is and how to verify it. I'm not sure how easy is it to compare detached signature on Windows as compared with plain hash; but current file requires manual intervention on Windows as well as proves to be confusing even for Linux users ... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Nov 21, 2016 at 08:21:03PM +1100, Aleksa Sarai wrote:
Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it.
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it.
It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware.
That's all very reasonable and sensible, and I surmised exactly that last week when I pulled down a 42.2 iso, and first wondered if something had gone wrong causing the warning. We could be a little more helpful. Rather than just advertising the feature in the "Verify your download before use" section of the download page, link to simple line-by-line set of instruction to describe the right way to confirm who signed the checksum? Lots of users are very intimidated by the plethora of options with GPG and struggle to know where to start. Even for a regular user looking to upgrade from an earlier version, 'gpg --verify opensuse_foo.sha256' is likely to report that the openSUSE public key isn't installed. Some will follow down the rabbit hole, others may just give up/install another distro etc. If we want to encourage good security practice then we're best making it as easy as possible to follow good practice. Daniel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op maandag 21 november 2016 10:25:36 CET schreef Daniel Morris:
Lots of users are very intimidated by the plethora of options with GPG and struggle to know where to start. Even for a regular user looking to upgrade from an earlier version, 'gpg --verify opensuse_foo.sha256' is likely to report that the openSUSE public key isn't installed. Some will follow down the rabbit hole, others may just give up/install another distro etc. If we want to encourage good security practice then we're best making it as easy as possible to follow good practice.
I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256 got: gpg: Signature made di 15 nov 2016 18:04:50 CET gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 It is a proper key, however expired. By the way: I use: head -4 openSUSE-Leap-42.2-DVD-x86_64.iso.sha256 | tail -1 | sha256sum -c - to check the checksum. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Nov 21 2016, Freek de Kruijf <freek@opensuse.org> wrote:
I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
got:
gpg: Signature made di 15 nov 2016 18:04:50 CET gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
It is a proper key, however expired.
You should update it from the keyrings. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op maandag 21 november 2016 13:00:16 CET schreef Andreas Schwab:
On Nov 21 2016, Freek de Kruijf <freek@opensuse.org> wrote:
I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
got:
gpg: Signature made di 15 nov 2016 18:04:50 CET gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
It is a proper key, however expired.
You should update it from the keyrings.
Used https://en.opensuse.org/SDB:Download_help to update the keyring. Also needed to set trust on the key. I used Kleopatra to do that. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/21/2016 08:41 AM, Freek de Kruijf wrote:
Op maandag 21 november 2016 13:00:16 CET schreef Andreas Schwab:
On Nov 21 2016, Freek de Kruijf <freek@opensuse.org> wrote:
I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
got:
gpg: Signature made di 15 nov 2016 18:04:50 CET gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
It is a proper key, however expired. You should update it from the keyrings.
Used https://en.opensuse.org/SDB:Download_help to update the keyring. Also needed to set trust on the key. I used Kleopatra to do that.
Yep, clearly a better process. /<sarcasm> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Daniel Morris schrieb:
On Mon, Nov 21, 2016 at 08:21:03PM +1100, Aleksa Sarai wrote:
Is this expected? Yes, this is expected, there is an embedded PGP signature in the .sha256 file which `shasum` does not recognise.
This can be used to verify that the .sha256 file did indeed come from openSUSE rather than some other malicious source.
A little more info about that would have been useful. I would expect a file called sha256, next to an ISO, to be the shasum of that ISO and nothing else. And where on that download page is the real shasum file? I had to go to the mirror page to find it.
It is the "real shasum file". It also just happens to have been signed by the PGP key and contain the signature. sha256sum will exit without an error, and the warnings are just advisory -- so scripts will also have no issue with it.
It's actually _less safe_ to "just have a .sha256" because it will mean that you cannot be sure that your local mirror isn't replacing the ISOs with malware.
That's all very reasonable and sensible, and I surmised exactly that last week when I pulled down a 42.2 iso, and first wondered if something had gone wrong causing the warning.
We could be a little more helpful. Rather than just advertising the feature in the "Verify your download before use" section of the download page, link to simple line-by-line set of instruction to describe the right way to confirm who signed the checksum?
I tried to improve the description but meanwhile the code was developed further and the patch doesn't apply anymore. If some ruby on rails wizard is reading this, feel free to pick up and improve https://github.com/openSUSE/software-o-o/pull/52 :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Nov 21, 2016 at 3:24 AM, Felix Miata <mrmazda@earthlink.net> wrote:
wget http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D... wget http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D... shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
these simple hash sum files and stuff are all text based, so I do tend to look into them via cat less or something and then I can make use of it and understand that its a simple hashum filename next to each other but this single line string signed as a pgp message, like an email, so it adds headers and footers and meta overhead to it. That way you can verify that the string aka text payload inside is an actual opensuse verified or created or at least signed message giving you the validity or authority about its content so you can rely that the sha256 sum given in there is authentic and created and approved of by opensuse. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (11)
-
Aleksa Sarai -
Andreas Schwab -
Andrei Borzenkov -
cagsm -
Daniel Morris -
Felix Miata -
Freek de Kruijf -
James Knott -
Karl Cheng -
Ludwig Nussel -
Michal Kubecek