tahoe 1.16.0

Greg Troxel gdt at lexort.com
Wed Oct 27 16:41:18 UTC 2021 

Chad Dougherty <crd at acm.org> writes:

> One more observation - the corruption I experienced was only when
> downloading with Firefox.  It seems that the distribution server is
> re-gzipping the file when the user agent is Firefox:

I didn't have any problems, because I was using pkgsrc to download as
part of package update, but I went to check after seeing the firefox
report.

I did two downloads from the same machine, one using pkgsrc (and thus
ftp/curl/wget sort of program), and one with firefox.

-rw-r--r--  1 gdt  wheel  1802556 Oct 19 19:43 /opt/pkgsrc/distfiles/tahoe-lafs-1.16.0.tar.gz
-rw-rw-rw-@ 1 gdt  staff  1802257 Oct 27 11:50 tahoe-lafs-1.16.0.tar.gz

After unpacking both with tar xvfp, the contents are the same.

I have also not noticed this with firefox on other places.

SHA1 (tahoe-lafs-1.16.0.tar.gz) = 75eb22d3aa8d2d299df43e402aac897c1e06a2c0
SHA1 (/opt/pkgsrc/distfiles/tahoe-lafs-1.16.0.tar.gz) = 90de71612b90ecc305cf04aa741657917be7eac3

SHA256 (tahoe-lafs-1.16.0.tar.gz) = 81fb7ae0afe312108dcb150d2b8619b8f6ce81a3f5c1b9d5194e162addbc9f08
SHA256 (/opt/pkgsrc/distfiles/tahoe-lafs-1.16.0.tar.gz) = 0b1e05269b698dcae6b60c7bfa11f10f4e3aa07a681242a66d294aa4b7513525

> (using freshly downloaded copies of the distribution files)
> $ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
> gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
> gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
> gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
> gpg: BAD signature from "meejah <meejah at meejah.ca>" [unknown]

This led me to try to figure out the signing key situation.   I couldn't
find this in the release notes, and I couldn't find it on
tahoe-lafs.org.  I did find a keyid at
  https://tahoe-lafs.org/trac/tahoe-lafs/wiki/AdvancedInstall
but have not been able to download the key.

Part of the issue is that the keyserver situation is a mess.

Trying to verify gets me:

$ gpg2 tahoe-lafs-1.16.0.tar.gz.asc 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: Can't check signature: No public key


I was able to get a key using that id from a keyserver (which doesn't
really let me believe anything), which shows as

pub   rsa2048 2012-02-14 [SCEA]
      9D5A2BD5688ECB889DEBCD3FC2602803128069A7
sub   rsa2048 2012-02-14 [E]

importing it gives a warning

gpg: key C2602803128069A7: no user ID


I'm not sure what ought to be, but having a signing key that has a uid
and cross sigs from some of the usual suspects, that is easily findable
from the top-level web page, would be nice.

> $ mv tahoe-lafs-1.16.0.tar.gz tahoe-lafs-1.16.0.tar.gz.gz
> $ gunzip tahoe-lafs-1.16.0.tar.gz.gz
> $ gpg2 --verify tahoe-lafs-1.16.0.tar.gz.asc
> gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
> gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
> gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
> gpg: Good signature from "meejah <meejah at meejah.ca>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 9D5A 2BD5 688E CB88 9DEB  CD3F C260 2803 1280 69A7

Ahh, so the server is reading the already gzipped contents and
re-gzipping.

I can confirm that after renaming the firefox-downloaded file to a.gz.gz
and ungzipping, a.gz is bit-for-bit identical to the regular distfile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.tahoe-lafs.org/pipermail/tahoe-dev/attachments/20211027/9b7965e7/attachment.asc>

More information about the tahoe-dev mailing list