[opensuse] Re: [opensuse-factory] broken shasums for 42.2 isos?
On 11/20/2016 09:24 PM, Felix Miata wrote:
wget http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D... wget http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D... shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
Is this expected?
It's not what I expected. I ran into the same thing, but was able to find the correct shasum on the mirror page. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 20 Nov 2016 21:45:23 -0500 James Knott <james.knott@rogers.com> wrote:
On 11/20/2016 09:24 PM, Felix Miata wrote:
shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
Is this expected?
It's not what I expected. I ran into the same thing, but was able to find the correct shasum on the mirror page.
The .sha256 file is PGP signed. Edit it, remove the signature parts (and any trailing blank lines) and you will then have no "improperly formatted" lines. Or, just ignore the format "error" since shasum already said the iso was : OK Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/20/2016 10:13 PM, listreader wrote:
On Sun, 20 Nov 2016 21:45:23 -0500 James Knott <james.knott@rogers.com> wrote:
shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
Is this expected? It's not what I expected. I ran into the same thing, but was able to find the correct shasum on the mirror page. The .sha256 file is PGP signed. Edit it, remove the signature parts (and any trailing blank lines) and you will then have no "improperly
On 11/20/2016 09:24 PM, Felix Miata wrote: formatted" lines. Or, just ignore the format "error" since shasum already said the iso was : OK
And where on the download page does it provide that info??? This is the page I downloaded the ISO from and I don't see any mention of those instructions. https://software.opensuse.org/422/en -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 20 Nov 2016 22:35:17 -0500 James Knott <james.knott@rogers.com> wrote:
On 11/20/2016 10:13 PM, listreader wrote:
On Sun, 20 Nov 2016 21:45:23 -0500 James Knott <james.knott@rogers.com> wrote:
shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
Is this expected? It's not what I expected. I ran into the same thing, but was able to find the correct shasum on the mirror page. The .sha256 file is PGP signed. Edit it, remove the signature parts (and any trailing blank lines) and you will then have no "improperly
On 11/20/2016 09:24 PM, Felix Miata wrote: formatted" lines. Or, just ignore the format "error" since shasum already said the iso was : OK
And where on the download page does it provide that info???
This is the page I downloaded the ISO from and I don't see any mention of those instructions. https://software.opensuse.org/422/en
Don't bark. I couldn't answer that for you, I'm just another user. I'm just giving you the reason you get the error message. I think it was the same in 42.1. Ask on the factory list if you want to know why they've PGP-ed the text file and not given instructions. Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/20/2016 11:08 PM, listreader wrote:
And where on the download page does it provide that info???
This is the page I downloaded the ISO from and I don't see any mention of those instructions. https://software.opensuse.org/422/en
Don't bark. I couldn't answer that for you, I'm just another user. I'm just giving you the reason you get the error message. I think it was the same in 42.1. Ask on the factory list if you want to know why they've PGP-ed the text file and not given instructions.
I wasn't "barking" at you. However, if that's the process the site should say so. I have been downloading ISOs for almost 20 years and have never come across this before. BTW, I didn't install 42.1, so I don't recall the details for it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/21/2016 05:48 AM, James Knott wrote:
I wasn't "barking" at you. However, if that's the process the site should say so. I have been downloading ISOs for almost 20 years and have never come across this before.
BTW, I didn't install 42.1, so I don't recall the details for it.
James the PGP key is on a totally separate line than the sha256sum in the checksum file; in the case there was a MitM attack on the actual checksum file, the checksum file's authenticity can be verified by its PGP key. Download both the .iso file and the checksum file and place them in the same directory. Run this command: `sha256sum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256` The output should say: openSUSE-Leap-42.2-NET-x86_64.iso: OK sha256sum: WARNING: 14 lines are improperly formatted The "OK" is letting you know that the checksum passed. The improperly formatted error message about line 14 can be ignored but maybe Carlos or someone else knows why, as I don't. I would guess that it's because the PGP key (and other text/lines) is making the sha256sum file non-standard as the sha256sum program reads the additional line(s) and does't know how to interpret them. The semi-automated method I described above, the user runs on the actual checksum file itself, not on the .iso. You can also run sha256sum on the .iso and compare that to the checksum (not the PGP key, once again) in the checksum file. A third option is now Plasma has a feature where you right-click on any file, click "Properties", and go to the "Checksums" tab. Click on "Calculate" and either before, during or after the CPU has finished running the job, paste the sha256sum from the checksum file into the "Expected checksum" field. In this case, obviously you would be running the "KDE GUI sha256sum method" on the .iso file. When it's done calculating, it will inform you whether you have a matching checksum or not. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/21/2016 10:28 AM, sdm wrote:
sha256sum: WARNING: 14 lines are improperly formatted
Yep and that can be considered a WTF??? moment. Error messages should not come as a surprise. Since this is the new way, document it and don't expect someone to just know it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* James Knott <james.knott@rogers.com> [11-21-16 10:55]:
On 11/21/2016 10:28 AM, sdm wrote:
sha256sum: WARNING: 14 lines are improperly formatted
Yep and that can be considered a WTF??? moment.
Error messages should not come as a surprise. Since this is the new way, document it and don't expect someone to just know it.
And YOU have submitted a change-request for improved documentation? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 Photos: http://wahoo.no-ip.org/piwigo @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/21/2016 11:29 AM, Patrick Shanahan wrote:
And YOU have submitted a change-request for improved documentation?
Back when I was creating documentation, at IBM, there was no such thing. I was expected to have it right before releasing it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/21/2016 11:58 AM, James Knott wrote:
On 11/21/2016 11:29 AM, Patrick Shanahan wrote:
And YOU have submitted a change-request for improved documentation?
Back when I was creating documentation, at IBM, there was no such thing. I was expected to have it right before releasing it.
IBM is IBM. They can and do pay to have .. Well, in my time with startups and buying s/w from start-ups I've often recommended that they sit down and try out every example in the docco to see if it does what the docc says it does, if the screens look like the illustrations in the doco. The thing is this takes time and manpower and it costs and all to many startups are more concern3ed with 'first to market' and something like this might slow things down or impede the release of the latest-and-greatest. But IBM cares about quality and doesn't get its underwear in a twist over being first to market. Having a superior product is what matters. And part of being superior is having superior docco. FOSS is more retrograde than startups when it comes to these matters. The docco is often written by the programmers and is worded in terms that are relevant to the programmer rather an a non-programming end user, and are often about things that matter to the programmer rather than an end user. The docco is debugged, if it is, by the same 'many eyes' attitude that is supposed to apply to quality and security of the code. Often the docco is only a MAN page and we all know about the efficacy of MAN pages as end user docco. Citing IBM just highlights the contrast with their methods, hiring, training, sales, quality control, customer support as well as documentation with FOSS. And revenue to pay for all that. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* James Knott <james.knott@rogers.com> [11-21-16 12:00]:
On 11/21/2016 11:29 AM, Patrick Shanahan wrote:
And YOU have submitted a change-request for improved documentation?
Back when I was creating documentation, at IBM, there was no such thing. I was expected to have it right before releasing it.
Ahhh, an answer w/o an answer. Been in politics very long? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 Photos: http://wahoo.no-ip.org/piwigo @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-11-21 16:28, sdm wrote:
James the PGP key is on a totally separate line than the sha256sum in the checksum file; in the case there was a MitM attack on the actual checksum file, the checksum file's authenticity can be verified by its PGP key. Download both the .iso file and the checksum file and place them in the same directory.
Run this command: `sha256sum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256` The output should say:
openSUSE-Leap-42.2-NET-x86_64.iso: OK sha256sum: WARNING: 14 lines are improperly formatted
The "OK" is letting you know that the checksum passed. The improperly formatted error message about line 14 can be ignored but maybe Carlos or someone else knows why, as I don't. I would guess that it's because the PGP key (and other text/lines) is making the sha256sum file non-standard as the sha256sum program reads the additional line(s) and does't know how to interpret them. The semi-automated method I described above, the user runs on the actual checksum file itself, not on the .iso.
You got it completely right :-) But it is not an error: it is a warning. A warning can be ignored. A post by Freek de Kruijf explains what to do with the GPG part: gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256 And it will tell something like this: gpg: Signature made di 15 nov 2016 18:04:50 CET gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 The note about the key being expired is another error that can happen, and it means that the person has to update the copy of the key. The idea of all this is that the checksum file itself is signed with a GPG signature. Validating this one verifies that the checksum file has not been altered. Previously, there was a separate PGP or GPG file. Now someone, the someone that did all those changes, should have updated the documentation to match. Now that we know, someone might try to do it, if the page is not protected - and if it has a PGP signature, it will be. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
21.11.2016 06:13, listreader пишет:
On Sun, 20 Nov 2016 21:45:23 -0500 James Knott <james.knott@rogers.com> wrote:
On 11/20/2016 09:24 PM, Felix Miata wrote:
shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
Is this expected?
It's not what I expected. I ran into the same thing, but was able to find the correct shasum on the mirror page.
The .sha256 file is PGP signed. Edit it, remove the signature parts (and any trailing blank lines) and you will then have no "improperly formatted" lines. Or, just ignore the format "error" since shasum already said the iso was : OK
Or check both at the same time bor@bor-Latitude-E5450:~/Загрузки$ ( LC_ALL=C LANG=C; gpg --output - openSUSE-Leap-42.2-DVD-x86_64.iso.sha256 | sha256sum -c ) gpg: Signature made Tue Nov 15 20:04:50 2016 MSK using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 openSUSE-Leap-42.2-DVD-x86_64.iso: OK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 11/20/2016 09:24 PM, Felix Miata wrote:
wget
http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D...
wget
http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-D...
shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256 openSUSE-Leap-42.2-NET-x86_64.iso: OK shasum: WARNING: 14 lines are improperly formatted
Is this expected?
It's not what I expected. I ran into the same thing, but was able to find the correct shasum on the mirror page.
Hi James, I have not done it for the longest time, but we used to be able to just use the checksumming utility to also check the sums - i.e. md5sum or sha1sum. There also used to be complete listings named 'MD5SUMS' resp. 'SHA1SUMS' of all checksums of all files , but they disappeared at some point. The PGP signature is new as of Leap421, up until 13.2, the checksum was not signed. I don't know the reason for this change. -- Per Jessen, Zürich (16.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/21/2016 09:51 AM, Per Jessen wrote:
It's not what I expected. I ran into the same thing, but was able to
find the correct shasum on the mirror page. Hi James,
I have not done it for the longest time, but we used to be able to just use the checksumming utility to also check the sums - i.e. md5sum or sha1sum. There also used to be complete listings named 'MD5SUMS' resp. 'SHA1SUMS' of all checksums of all files , but they disappeared at some point.
The PGP signature is new as of Leap421, up until 13.2, the checksum was not signed. I don't know the reason for this change.
Regardless of the reason, people shouldn't be left with a WTF??? experience, as is happening with this. If this is the new method, it should be clearly documented. Like you, I'd download an ISO and the md5sum file and then run md5sum -c against the md5sum file. IIRC, at one point, the md5sum file contained the md5sum for all the ISOs available and you could download more than one ISO and check them all with just one md5sum -c command. Incidentally, in the late 90s, I worked at IBM Canada, as a product specialist. I provided 3rd level support for OS/2 and some Windows apps. In that role, I created a lot of documentation for users or other support staff. A situation such as this would not have been tolerated. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 11/21/2016 09:51 AM, Per Jessen wrote:
It's not what I expected. I ran into the same thing, but was able to
find the correct shasum on the mirror page. Hi James,
I have not done it for the longest time, but we used to be able to just use the checksumming utility to also check the sums - i.e. md5sum or sha1sum. There also used to be complete listings named 'MD5SUMS' resp. 'SHA1SUMS' of all checksums of all files , but they disappeared at some point.
The PGP signature is new as of Leap421, up until 13.2, the checksum was not signed. I don't know the reason for this change.
Regardless of the reason, people shouldn't be left with a WTF??? experience, as is happening with this. If this is the new method, it should be clearly documented.
Agree. The openSUSE:SDB needs to be updated.
Incidentally, in the late 90s, I worked at IBM Canada, as a product specialist. I provided 3rd level support for OS/2 and some Windows apps. In that role, I created a lot of documentation for users or other support staff. A situation such as this would not have been tolerated.
Sure, but perhaps not a fair comparison. -- Per Jessen, Zürich (17.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
James Knott -
listreader -
Patrick Shanahan -
Per Jessen -
sdm