broken shasums for 42.2 isos?

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

broken shasums for 42.2 isos?

Felix Miata-3
wget
http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
wget
http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-DVD-x86_64.iso
shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256
openSUSE-Leap-42.2-NET-x86_64.iso: OK
shasum: WARNING: 14 lines are improperly formatted

Is this expected?
--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

  Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Karl Cheng
> Is this expected?

Yes, this is expected, there is an embedded PGP signature in the
.sha256 file which `shasum` does not recognise.

This can be used to verify that the .sha256 file did indeed come from
openSUSE rather than some other malicious source.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

James Knott
On 11/20/2016 09:48 PM, Karl Cheng wrote:
>> Is this expected?
> Yes, this is expected, there is an embedded PGP signature in the
> .sha256 file which `shasum` does not recognise.
>
> This can be used to verify that the .sha256 file did indeed come from
> openSUSE rather than some other malicious source.

A little more info about that would have been useful.  I would expect a
file called sha256, next to an ISO, to be the shasum of that ISO and
nothing else.  And where on that download page is the real shasum file?
I had to go to the mirror page to find it.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

cagsm
In reply to this post by Felix Miata-3
On Mon, Nov 21, 2016 at 3:24 AM, Felix Miata <[hidden email]> wrote:
> wget
> http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
> wget
> http://download.opensuse.org/distribution/leap/42.2/iso/openSUSE-Leap-42.2-DVD-x86_64.iso
> shasum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256
> openSUSE-Leap-42.2-NET-x86_64.iso: OK
> shasum: WARNING: 14 lines are improperly formatted


these simple hash sum files and stuff are all text based, so I do tend
to look into them via cat less or something and then I can make use of
it and understand that its a simple hashum filename next to each other
but this single line string signed as a pgp message, like an email, so
it adds headers and footers and meta overhead to it. That way you can
verify that the string aka text payload inside is an actual opensuse
verified or created or at least signed message giving you the validity
or authority about its content so you can rely that the sha256 sum
given in there is authentic and created and approved of by opensuse.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Aleksa Sarai
In reply to this post by James Knott
>>> Is this expected?
>> Yes, this is expected, there is an embedded PGP signature in the
>> .sha256 file which `shasum` does not recognise.
>>
>> This can be used to verify that the .sha256 file did indeed come from
>> openSUSE rather than some other malicious source.
>
> A little more info about that would have been useful.  I would expect a
> file called sha256, next to an ISO, to be the shasum of that ISO and
> nothing else.  And where on that download page is the real shasum file?
> I had to go to the mirror page to find it.

It is the "real shasum file". It also just happens to have been signed
by the PGP key and contain the signature. sha256sum will exit without an
error, and the warnings are just advisory -- so scripts will also have
no issue with it.

It's actually _less safe_ to "just have a .sha256" because it will mean
that you cannot be sure that your local mirror isn't replacing the ISOs
with malware.

--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Andreas Schwab-2
On Nov 21 2016, Aleksa Sarai <[hidden email]> wrote:

> It is the "real shasum file". It also just happens to have been signed by
> the PGP key and contain the signature. sha256sum will exit without an
> error, and the warnings are just advisory -- so scripts will also have no
> issue with it.
>
> It's actually _less safe_ to "just have a .sha256" because it will mean
> that you cannot be sure that your local mirror isn't replacing the ISOs
> with malware.

The signature could also be detached.

Andreas.

--
Andreas Schwab, SUSE Labs, [hidden email]
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Michal Kubecek
In reply to this post by Aleksa Sarai
On Monday, 21 November 2016 20:21 Aleksa Sarai wrote:
> It is the "real shasum file". It also just happens to have been signed
> by the PGP key and contain the signature. sha256sum will exit without
> an error, and the warnings are just advisory -- so scripts will also
> have no issue with it.

It's actually similar to earlier situation when we used to have one
SHA1SUMS file for the whole directory (except you got different warnings
about files not found).

As Andreas pointed out, we could put the signature into a separate file
(say .sha256.sign) but I wonder if there would be an advantage compared
to a detached signature of the iso image itself.

                                                         Michal Kubeček
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Daniel Morris
In reply to this post by Aleksa Sarai
On Mon, Nov 21, 2016 at 08:21:03PM +1100, Aleksa Sarai wrote:

> > > > Is this expected?
> > > Yes, this is expected, there is an embedded PGP signature in the
> > > .sha256 file which `shasum` does not recognise.
> > >
> > > This can be used to verify that the .sha256 file did indeed come from
> > > openSUSE rather than some other malicious source.
> >
> > A little more info about that would have been useful.  I would expect a
> > file called sha256, next to an ISO, to be the shasum of that ISO and
> > nothing else.  And where on that download page is the real shasum file?
> > I had to go to the mirror page to find it.
>
> It is the "real shasum file". It also just happens to have been signed by
> the PGP key and contain the signature. sha256sum will exit without an error,
> and the warnings are just advisory -- so scripts will also have no issue
> with it.
>
> It's actually _less safe_ to "just have a .sha256" because it will mean that
> you cannot be sure that your local mirror isn't replacing the ISOs with
> malware.

That's all very reasonable and sensible, and I surmised exactly that
last week when I pulled down a 42.2 iso, and first wondered if something
had gone wrong causing the warning.

We could be a little more helpful. Rather than just advertising the
feature in the "Verify your download before use" section of the download
page, link to simple line-by-line set of instruction to describe the
right way to confirm who signed the checksum?

Lots of users are very intimidated by the plethora of options with GPG
and struggle to know where to start. Even for a regular user looking to
upgrade from an earlier version, 'gpg --verify opensuse_foo.sha256' is
likely to report that the openSUSE public key isn't installed. Some will
follow down the rabbit hole, others may just give up/install another
distro etc. If we want to encourage good security practice then we're
best making it as easy as possible to follow good practice.

 Daniel
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Andrei Borzenkov
In reply to this post by Michal Kubecek
On Mon, Nov 21, 2016 at 12:53 PM, Michal Kubecek <[hidden email]> wrote:
> As Andreas pointed out, we could put the signature into a separate file
> (say .sha256.sign) but I wonder if there would be an advantage compared
> to a detached signature of the iso image itself.
>

Exactly. Detached signature is hash + proof that it has not been
tampered which is exactly what we have here - but detached signature
has advantage that it makes it clear what it is and how to verify it.

I'm not sure how easy is it to compare detached signature on Windows
as compared with plain hash; but current file requires manual
intervention on Windows as well as proves to be confusing even for
Linux users ...
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Freek de Kruijf
In reply to this post by Daniel Morris
Op maandag 21 november 2016 10:25:36 CET schreef Daniel Morris:
> Lots of users are very intimidated by the plethora of options with GPG
> and struggle to know where to start. Even for a regular user looking to
> upgrade from an earlier version, 'gpg --verify opensuse_foo.sha256' is
> likely to report that the openSUSE public key isn't installed. Some will
> follow down the rabbit hole, others may just give up/install another
> distro etc. If we want to encourage good security practice then we're
> best making it as easy as possible to follow good practice.

I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256

got:

gpg: Signature made di 15 nov 2016 18:04:50 CET
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key
<[hidden email]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284

It is a proper key, however expired.

By the way: I use:

head -4 openSUSE-Leap-42.2-DVD-x86_64.iso.sha256 | tail -1 | sha256sum -c -

to check the checksum.

--
fr.gr.

member openSUSE
Freek de Kruijf

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Andreas Schwab-2
On Nov 21 2016, Freek de Kruijf <[hidden email]> wrote:

> I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
>
> got:
>
> gpg: Signature made di 15 nov 2016 18:04:50 CET
> gpg:                using RSA key B88B2FD43DBDC284
> gpg: Good signature from "openSUSE Project Signing Key
> <[hidden email]>" [expired]
> gpg: Note: This key has expired!
> Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
>
> It is a proper key, however expired.

You should update it from the keyrings.

Andreas.

--
Andreas Schwab, SUSE Labs, [hidden email]
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Ludwig Nussel
In reply to this post by Daniel Morris
Daniel Morris schrieb:

> On Mon, Nov 21, 2016 at 08:21:03PM +1100, Aleksa Sarai wrote:
>>>>> Is this expected?
>>>> Yes, this is expected, there is an embedded PGP signature in the
>>>> .sha256 file which `shasum` does not recognise.
>>>>
>>>> This can be used to verify that the .sha256 file did indeed come from
>>>> openSUSE rather than some other malicious source.
>>>
>>> A little more info about that would have been useful.  I would expect a
>>> file called sha256, next to an ISO, to be the shasum of that ISO and
>>> nothing else.  And where on that download page is the real shasum file?
>>> I had to go to the mirror page to find it.
>>
>> It is the "real shasum file". It also just happens to have been signed by
>> the PGP key and contain the signature. sha256sum will exit without an error,
>> and the warnings are just advisory -- so scripts will also have no issue
>> with it.
>>
>> It's actually _less safe_ to "just have a .sha256" because it will mean that
>> you cannot be sure that your local mirror isn't replacing the ISOs with
>> malware.
>
> That's all very reasonable and sensible, and I surmised exactly that
> last week when I pulled down a 42.2 iso, and first wondered if something
> had gone wrong causing the warning.
>
> We could be a little more helpful. Rather than just advertising the
> feature in the "Verify your download before use" section of the download
> page, link to simple line-by-line set of instruction to describe the
> right way to confirm who signed the checksum?

I tried to improve the description but meanwhile the code was developed
further and the patch doesn't apply anymore. If some ruby on rails
wizard is reading this, feel free to pick up and improve
https://github.com/openSUSE/software-o-o/pull/52 :-)

cu
Ludwig

--
  (o_   Ludwig Nussel
  //\
  V_/_  http://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Graham Norton, HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Freek de Kruijf
In reply to this post by Andreas Schwab-2
Op maandag 21 november 2016 13:00:16 CET schreef Andreas Schwab:

> On Nov 21 2016, Freek de Kruijf <[hidden email]> wrote:
> > I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
> >
> > got:
> >
> > gpg: Signature made di 15 nov 2016 18:04:50 CET
> > gpg:                using RSA key B88B2FD43DBDC284
> > gpg: Good signature from "openSUSE Project Signing Key
> > <[hidden email]>" [expired]
> > gpg: Note: This key has expired!
> > Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD
> > C284
> >
> > It is a proper key, however expired.
>
> You should update it from the keyrings.
>
Used https://en.opensuse.org/SDB:Download_help to update the keyring. Also
needed to set trust on the key. I used Kleopatra to do that.


--
fr.gr.

member openSUSE
Freek de Kruijf

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

James Knott
On 11/21/2016 08:41 AM, Freek de Kruijf wrote:

> Op maandag 21 november 2016 13:00:16 CET schreef Andreas Schwab:
>> On Nov 21 2016, Freek de Kruijf <[hidden email]> wrote:
>>> I tried gpg --verify openSUSE-Leap-42.2-DVD-x86_64.iso.sha256
>>>
>>> got:
>>>
>>> gpg: Signature made di 15 nov 2016 18:04:50 CET
>>> gpg:                using RSA key B88B2FD43DBDC284
>>> gpg: Good signature from "openSUSE Project Signing Key
>>> <[hidden email]>" [expired]
>>> gpg: Note: This key has expired!
>>> Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD
>>> C284
>>>
>>> It is a proper key, however expired.
>> You should update it from the keyrings.
>>
> Used https://en.opensuse.org/SDB:Download_help to update the keyring. Also
> needed to set trust on the key. I used Kleopatra to do that.
>
>

Yep, clearly a better process.  /<sarcasm>

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Felix Miata-3
In reply to this post by Felix Miata-3
sdm composed on 2016-11-21 07:28 (UTC-0800):
...
> Run this command: `sha256sum -c openSUSE-Leap-42.2-NET-x86_64.iso.sha256`
> The output should say:

> openSUSE-Leap-42.2-NET-x86_64.iso: OK
> sha256sum: WARNING: 14 lines are improperly formatted

> The "OK" is letting you know that the checksum passed. The improperly
> formatted error message about line 14 can be ignored...

The complete output in the OP masks what may seem to be an additional error.
That's what happened to me, and the reason why I bothered take the trouble to
ask.

I'm used to using md5sum, having always chosen it over shasum when both were
offered. As is typical for me attempting use of of example-free man pages, I
was unable to discover syntax that corresponds to the 'md5sum -c
filename.md5' syntax I was used to.

IOW, this was my first attempt to use shasum. Not only did I see a bunch of
error lines overpowering the single OK line, but the command returned in a
tiny fraction of the time I expected it to take, nearly instantly, compared
to a patience testing length of an md5sum process used upon a dvd .iso.
--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

  Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

James Knott
On 11/21/2016 09:49 PM, Felix Miata wrote:
> IOW, this was my first attempt to use shasum. Not only did I see a
> bunch of error lines overpowering the single OK line, but the command
> returned in a tiny fraction of the time I expected it to take, nearly
> instantly, compared to a patience testing length of an md5sum process
> used upon a dvd .iso.

In addition to md5sum, I have also used shasum in the past, in the same
manner as I'd used md5sum.  However, this time it's different, with no
explanation why or appropriate instructions.  Like you, I also assumed
there was a problem and it was only after I found the proper sha256 file
elsewhere that I was able to verify the ISO.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Michal Kubecek
In reply to this post by Felix Miata-3
On Monday, 21 November 2016 21:49 Felix Miata wrote:
> I'm used to using md5sum, having always chosen it over shasum when
> both were offered. As is typical for me attempting use of of
> example-free man pages, I was unable to discover syntax that
> corresponds to the 'md5sum -c filename.md5' syntax I was used to.

Seriously? sha1sum and sha256sum syntax exactly copies one of md5sum so
the answer is "sha256sum -c filename.sha256".

> IOW, this was my first attempt to use shasum. Not only did I see a
> bunch of error lines overpowering the single OK line, but the command
> returned in a tiny fraction of the time I expected it to take, nearly
> instantly, compared to a patience testing length of an md5sum process
> used upon a dvd .iso.

That's hardly surprising as you were verifying only a short text file
rather than a 4GB DVD image.

Michal Kubeček
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: broken shasums for 42.2 isos?

Karl Ove Hufthammer
In reply to this post by Felix Miata-3
Felix Miata skreiv 22. nov. 2016 03:49:
>
> I'm used to using md5sum, having always chosen it over shasum when both
> were offered. As is typical for me attempting use of of example-free man
> pages, I was unable to discover syntax that corresponds to the 'md5sum
> -c filename.md5' syntax I was used to.

For a (somewhat) user-friendly UI, note that the KDE file manager,
Dolphin, now has a *built-in* checksum feature, supporting both MD5,
SHA1 and SHA256. Simple right on a file and choose ‘Properties →
Checksums’ to verify checksums.

Of course, this wasn’t available to use for checking the 42.2 ISOs if
you were currently using 42.1 or a different, older distro (or desktop
environment). I’m just including it as a tip for people to be aware of
in the future.

--
Karl Ove Hufthammer

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]