Quantcast

zypper ignores instruction to 'discard' packages with FAILed/mismatched digest checksum. downloads & installs it anyway.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

zypper ignores instruction to 'discard' packages with FAILed/mismatched digest checksum. downloads & installs it anyway.

lists-2
While doing a package upgrade

I saw this

        ..................................................................[done (2.2 MiB/s)]

        Warning: Digest verification failed for file 'MozillaFirefox-47.0.1-541.2.x86_64.rpm'
        [/var/cache/zypp/packages/MozillaFACTORY/x86_64/MozillaFirefox-47.0.1-541.2.x86_64.rpm]

          expected ab94e037ad3568d8d09088d1e32e2bc3057ff219d3171085170e9fe1eae115da
          but got  2c7af9fd04b5c9d8e230fd928a65135696c880088c94559c7a5e8d9f0c062ed7

        Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise.

        However if you made certain that the file with checksum '2c7a..' is secure, correct
        and should be used within this operation, enter the first 4 characters of the checksum
        to unblock using this file on your own risk. Empty input will discard the file.

        Unblock or discard? [2c7a/? shows all options] (discard):

I hit <ENTER> to accept the default and "discard"

Instead of discarding it, it ACCEPTED the upgrade as started to download it

        Retrieving: MozillaFirefox-47.0.1-541.2.x86_64.rpm .........................................................................................<77%>=======================

and eventually installed it

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: zypper ignores instruction to 'discard' packages with FAILed/mismatched digest checksum. downloads & installs it anyway.

Andreas Stieger-2
Hello,

On 08/02/2016 10:00 PM, [hidden email] wrote:
> While doing a package upgrade
>
> I saw this
>
> ..................................................................[done (2.2 MiB/s)]
>
> Warning: Digest verification failed for file 'MozillaFirefox-47.0.1-541.2.x86_64.rpm'
> [/var/cache/zypp/packages/MozillaFACTORY/x86_64/MozillaFirefox-47.0.1-541.2.x86_64.rpm]

This is a file in your local cache. From a previous run, possibly broken
or manipulated.

> Unblock or discard? [2c7a/? shows all options] (discard):
>
> I hit <ENTER> to accept the default and "discard"

You discard the cached file.

> Instead of discarding it, it ACCEPTED the upgrade as started to download it

You did not accept the upgrade. You discarded the cached file. Zypper
then starts to download a fresh copy:
>
> Retrieving: MozillaFirefox-47.0.1-541.2.x86_64.rpm .........................................................................................<77%>=======================
>
> and eventually installed it

But only after verifying that the fresh downloaded file matches the
digest as per the signed repository metadata.

Not an issue, works as expected.

Andreas

--
Andreas Stieger <[hidden email]>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Loading...