tahoe 1.16.0
Chad Dougherty
crd at acm.org
Wed Oct 27 13:10:22 UTC 2021
On 2021-10-23 21:10, Chad Dougherty wrote:
> Sorry for what was likely a false alarm although I suppose there's a
> chance that something was genuinely going wrong.
>
One more observation - the corruption I experienced was only when
downloading with Firefox. It seems that the distribution server is
re-gzipping the file when the user agent is Firefox:
(using freshly downloaded copies of the distribution files)
$ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: BAD signature from "meejah <meejah at meejah.ca>" [unknown]
$ mv tahoe-lafs-1.16.0.tar.gz tahoe-lafs-1.16.0.tar.gz.gz
$ gunzip tahoe-lafs-1.16.0.tar.gz.gz
$ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: Good signature from "meejah <meejah at meejah.ca>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7
The same holds true for older releases from the same server:
$ gpg2 tahoe-lafs-1.15.0.tar.gz.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.15.0.tar.gz'
gpg: Signature made Tue Feb 2 16:36:59 2021 EST
gpg: using RSA key E34E62D06D0E69CFCA4179FFBDE0D31D68666A7A
gpg: BAD signature from "Tahoe-LAFS Release-Signing Key
(https://tahoe-lafs.org)" [unknown]
$ mv tahoe-lafs-1.15.0.tar.gz tahoe-lafs-1.15.0.tar.gz.gz
$ gunzip tahoe-lafs-1.15.0.tar.gz.gz
$ gpg2 tahoe-lafs-1.15.0.tar.gz.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.15.0.tar.gz'
gpg: Signature made Tue Feb 2 16:36:59 2021 EST
gpg: using RSA key E34E62D06D0E69CFCA4179FFBDE0D31D68666A7A
gpg: Good signature from "Tahoe-LAFS Release-Signing Key
(https://tahoe-lafs.org)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: E34E 62D0 6D0E 69CF CA41 79FF BDE0 D31D 6866 6A7A
I confirmed this from several different hosts using several different
versions of Firefox. Maybe the web server has some additional gzip
module that is misconfigured or something?
I did not experience this when downloading tahoe-lafs using curl or
Microsoft Edge and I have not experienced similar behavior with Firefox
on any other sites despite daily constant use.
Thanks...
--
-Chad
More information about the tahoe-dev
mailing list