tahoe 1.16.0

Chad Dougherty crd at acm.org
Wed Oct 27 13:10:22 UTC 2021 

On 2021-10-23 21:10, Chad Dougherty wrote:
> Sorry for what was likely a false alarm although I suppose there's a 
> chance that something was genuinely going wrong.
> 

One more observation - the corruption I experienced was only when 
downloading with Firefox.  It seems that the distribution server is 
re-gzipping the file when the user agent is Firefox:

(using freshly downloaded copies of the distribution files)
$ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: BAD signature from "meejah <meejah at meejah.ca>" [unknown]
$ mv tahoe-lafs-1.16.0.tar.gz tahoe-lafs-1.16.0.tar.gz.gz
$ gunzip tahoe-lafs-1.16.0.tar.gz.gz
$ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: Good signature from "meejah <meejah at meejah.ca>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 9D5A 2BD5 688E CB88 9DEB  CD3F C260 2803 1280 69A7


The same holds true for older releases from the same server:
$ gpg2 tahoe-lafs-1.15.0.tar.gz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.15.0.tar.gz'
gpg: Signature made Tue Feb  2 16:36:59 2021 EST
gpg:                using RSA key E34E62D06D0E69CFCA4179FFBDE0D31D68666A7A
gpg: BAD signature from "Tahoe-LAFS Release-Signing Key 
(https://tahoe-lafs.org)" [unknown]
$ mv tahoe-lafs-1.15.0.tar.gz tahoe-lafs-1.15.0.tar.gz.gz
$ gunzip tahoe-lafs-1.15.0.tar.gz.gz
$ gpg2 tahoe-lafs-1.15.0.tar.gz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.15.0.tar.gz'
gpg: Signature made Tue Feb  2 16:36:59 2021 EST
gpg:                using RSA key E34E62D06D0E69CFCA4179FFBDE0D31D68666A7A
gpg: Good signature from "Tahoe-LAFS Release-Signing Key 
(https://tahoe-lafs.org)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: E34E 62D0 6D0E 69CF CA41  79FF BDE0 D31D 6866 6A7A

I confirmed this from several different hosts using several different 
versions of Firefox.  Maybe the web server has some additional gzip 
module that is misconfigured or something?

I did not experience this when downloading tahoe-lafs using curl or 
Microsoft Edge and I have not experienced similar behavior with Firefox 
on any other sites despite daily constant use.

Thanks...

-- 
     -Chad

More information about the tahoe-dev mailing list