I downloaded the `install-amd64-minimal-20160428.iso` image from the different sources: - gentoo (http://distfiles.gentoo.org/) - Free (ftp://ftp.free.fr/mirrors/ftp.gentoo.org/) - Georgia Tech (http://www.gtlib.gatech.edu/pub/gentoo/) - OVH (http://gentoo.mirrors.ovh.net/gentoo-distfiles/) In the folder: ./releases/amd64/autobuilds/current-install-amd64-minimal. Verifying the signature of `install-amd64-minimal-20160428.iso.DIGESTS.asc` with gpg says that this file is indeed signed by releng@gentoo.org: gpg --verify install-amd64-minimal-20160428.iso.DIGESTS.asc gpg: Signature made Fri 29 Apr 2016 04:28:46 PM CEST using RSA key ID 2D182910 gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" But checking for the sha512 digest of the image fails: sha512sum --check install-amd64-minimal-20160428.iso.DIGESTS.asc install-amd64-minimal-20160428.iso: FAILED install-amd64-minimal-20160428.iso: FAILED install-amd64-minimal-20160428.iso.CONTENTS: OK install-amd64-minimal-20160428.iso.CONTENTS: FAILED The sha512 digests I obtained are all the same from these different sources: 3c3532d8010004876f0a6e1f7b213604035ffd61e6aa2a39717b67b622538a7b5018405e98c2ee30606558baada808cd48f0310517bb9fd00affba62e1f22435. But it does not match what releng@gentoo.org signed... Reproducible: Always Steps to Reproduce: 1. Choose a mirror 2. Go to the folder releases/amd64/autobuilds/current-install-amd64-minimal 3. Download install-amd64-minimal-20160428.iso{,.CONTENTS,.DIGESTS,.DIGESTS.asc} 4. Import releng@gentoo.org's public key into gpg 5. Verify install-amd64-minimal-20160428.iso.DIGESTS.asc signature: should be ok 6. Compare digests of install-amd64-minimal-20160428.iso with digests from install-amd64-minimal-20160428.iso.DIGESTS.asc: not ok Actual Results: sha512 digest of install-amd64-minimal-20160428.iso does not correspond of the one signed by releng@gentoo.org into install-amd64-minimal-20160428.iso.DIGESTS.asc Expected Results: Digest of install-amd64-minimal-20160428.iso should match what releng@gentoo.org signed into install-amd64-minimal-20160428.iso.DIGESTS.asc
$ cat install-amd64-minimal-20160428.iso.DIGESTS # SHA512 HASH d550010c85bf3be402ff8311ef7bdb210307d2988d33996ba74ae3c988ab3e5d266d23e6e3491bd936be4eb6b88804679e18e18cd5045c431dfa52622fd00066 install-amd64-minimal-20160428.iso # WHIRLPOOL HASH b3a118f440c4b3fbd9a54eb98a67c1368ce4ac5323273a270bedd96ab1026ccfe4fae1618c6d5bb15d0409d9eea1754f46973b3e3571fa11c64464db3d4cc218 install-amd64-minimal-20160428.iso # SHA512 HASH 00df9d45a24121535ae52b537081565c41f08db5b3fdd36fe3a73b41a33428875ea5706e08abe2312c3fb3e06caba1ec57166695c37f9f8854241aa22bc79575 install-amd64-minimal-20160428.iso.CONTENTS # WHIRLPOOL HASH 06ce724d567ca1581596a5c8d8d92063d287cb4df2eacb3f831a90ae55ca7561d27d6fe08c0378f39c5ded17eeabb0d2f22ef07acee5761ef95cfdf14a443d1c install-amd64-minimal-20160428.iso.CONTENTS $ sha512sum install-amd64-minimal-20160428.iso d550010c85bf3be402ff8311ef7bdb210307d2988d33996ba74ae3c988ab3e5d266d23e6e3491bd936be4eb6b88804679e18e18cd5045c431dfa52622fd00066 install-amd64-minimal-20160428.iso jmbsvicetto@nightheron /release/distfiles/weekly/amd64/20160428 $ ls -la install-amd64-minimal-20160428.iso* This is what we have in the build server and I just confirmed it matches the digests in http://distfiles.gentoo.org/releases/amd64/autobuilds/20160428/install-amd64-minimal-20160428.iso.DIGESTS
I've just downloaded the iso from distfiles and run sha512sum locally and I get the same sum as you do. $ sha512sum install-amd64-minimal-20160428.iso 3c3532d8010004876f0a6e1f7b213604035ffd61e6aa2a39717b67b622538a7b5018405e98c2ee30606558baada808cd48f0310517bb9fd00affba62e1f22435 install-amd64-minimal-20160428.iso
Any idea of what is happening? Is it possible for you to check which file(s) are different between the good version you have access to and the one served by the mirrors?
Also note bug 581524, which may have the same root cause.
I am seeing the same thing - last night from I believe 64.50.236.52, and just now from 137.226.34.46. Like the other reporters, I get an install-amd64-minimal-20160428.iso with sha512sum 3c3532d8010004876f0a6e1f7b213604... instead of what the signed DIGESTS.asc says I should, d550010c85bf3be402ff8311ef7bdb210307d... So there is no install ISO available that is not likely corrupt and possibly maliciously replaced. It looks like no older install-amd-minimal ISOs persist on distfiles.gentoo.org. Can the mismatch be attributed to simple replication failure, in which case the bad version should be removed/replaced, or is this reason to believe that (at least) distfiles.gentoo.org has been compromised?
Same issue today with the install-amd64-minimal-20160602.iso from at least two mirrors. DIGESTS file signature verified. Neither hashes matched the iso file.
For everybody else following this, I wrote & posted a tool, and did a write-up for the mirrors list about the issue: https://archives.gentoo.org/gentoo-mirrors/message/a9fbc7213f832e9918784bb8d334628b
I downloaded distfiles.gentoo.org/releases/amd64/autobuilds/20160630/install-amd64-minimal-20160630.iso and sha512 on it returns 4b42145ec083318a0e55c32f77d2ffd0b0f315343d41a8287d81fc807a9f043d5a9482e2355c29c479ffb0b39ba2e8e8c6abd610887cf8f4100437cf2e735b21. Unfortunately, install-amd64-minimal-20160630.iso.DIGESTS.asc says that the hash should be f04f987f5e94a1aa8c9ffc8a08c3bdbed0afd44f680342738d504b7149b9e6bbc49ee1fad851d7eef89103e43fefacaa57e6c7f768d164c3c4e77612e6847a35. Is there a way to get the non-defective file of install-amd64-minimal-20160630.iso, please?
*** Bug 588062 has been marked as a duplicate of this bug. ***
(In reply to Tadeus Prastowo from comment #8) > Is there a way to get the non-defective file of > install-amd64-minimal-20160630.iso, please? This should be resolved on my end again. Sorry for the issues.
Closing as fixed. Feel free to reopen / open a new bug if you hit this again.
