tahoe 1.16.0
Greg Troxel
gdt at lexort.com
Wed Oct 27 16:41:18 UTC 2021
Chad Dougherty <crd at acm.org> writes:
> One more observation - the corruption I experienced was only when
> downloading with Firefox. It seems that the distribution server is
> re-gzipping the file when the user agent is Firefox:
I didn't have any problems, because I was using pkgsrc to download as
part of package update, but I went to check after seeing the firefox
report.
I did two downloads from the same machine, one using pkgsrc (and thus
ftp/curl/wget sort of program), and one with firefox.
-rw-r--r-- 1 gdt wheel 1802556 Oct 19 19:43 /opt/pkgsrc/distfiles/tahoe-lafs-1.16.0.tar.gz
-rw-rw-rw-@ 1 gdt staff 1802257 Oct 27 11:50 tahoe-lafs-1.16.0.tar.gz
After unpacking both with tar xvfp, the contents are the same.
I have also not noticed this with firefox on other places.
SHA1 (tahoe-lafs-1.16.0.tar.gz) = 75eb22d3aa8d2d299df43e402aac897c1e06a2c0
SHA1 (/opt/pkgsrc/distfiles/tahoe-lafs-1.16.0.tar.gz) = 90de71612b90ecc305cf04aa741657917be7eac3
SHA256 (tahoe-lafs-1.16.0.tar.gz) = 81fb7ae0afe312108dcb150d2b8619b8f6ce81a3f5c1b9d5194e162addbc9f08
SHA256 (/opt/pkgsrc/distfiles/tahoe-lafs-1.16.0.tar.gz) = 0b1e05269b698dcae6b60c7bfa11f10f4e3aa07a681242a66d294aa4b7513525
> (using freshly downloaded copies of the distribution files)
> $ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
> gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
> gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
> gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
> gpg: BAD signature from "meejah <meejah at meejah.ca>" [unknown]
This led me to try to figure out the signing key situation. I couldn't
find this in the release notes, and I couldn't find it on
tahoe-lafs.org. I did find a keyid at
https://tahoe-lafs.org/trac/tahoe-lafs/wiki/AdvancedInstall
but have not been able to download the key.
Part of the issue is that the keyserver situation is a mess.
Trying to verify gets me:
$ gpg2 tahoe-lafs-1.16.0.tar.gz.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: Can't check signature: No public key
I was able to get a key using that id from a keyserver (which doesn't
really let me believe anything), which shows as
pub rsa2048 2012-02-14 [SCEA]
9D5A2BD5688ECB889DEBCD3FC2602803128069A7
sub rsa2048 2012-02-14 [E]
importing it gives a warning
gpg: key C2602803128069A7: no user ID
I'm not sure what ought to be, but having a signing key that has a uid
and cross sigs from some of the usual suspects, that is easily findable
from the top-level web page, would be nice.
> $ mv tahoe-lafs-1.16.0.tar.gz tahoe-lafs-1.16.0.tar.gz.gz
> $ gunzip tahoe-lafs-1.16.0.tar.gz.gz
> $ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
> gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
> gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
> gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
> gpg: Good signature from "meejah <meejah at meejah.ca>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7
Ahh, so the server is reading the already gzipped contents and
re-gzipping.
I can confirm that after renaming the firefox-downloaded file to a.gz.gz
and ungzipping, a.gz is bit-for-bit identical to the regular distfile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.tahoe-lafs.org/pipermail/tahoe-dev/attachments/20211027/9b7965e7/attachment.asc>
More information about the tahoe-dev
mailing list