!!! Fetched file: gnupg-2.4.0.tar.bz2.sig VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 238 !!! Expected: 119 Refetching... File renamed to '/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig._checksum_failure_.fmtebx1d'
What mirror did you fetch it from? I get the correct file & checksum results, from the distfiles.g.o CDN rotation.
=== $ USE=verify-sig ebuild gnupg-2.4.0.ebuild fetch * gnupg-2.4.0.tar.bz2 BLAKE2B SHA512 size ;-) ... [ ok ] >>> Downloading 'http://distfiles.gentoo.org/distfiles/ad/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 07:09:15-- http://distfiles.gentoo.org/distfiles/ad/gnupg-2.4.0.tar.bz2.sig Resolving distfiles.gentoo.org... 2a02:6ea0:d800::2, 212.102.46.8 Connecting to distfiles.gentoo.org|2a02:6ea0:d800::2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 119 [application/pgp-signature] Saving to: ‘/home/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ /home/gentoo/distfiles/gnupg-2.4.0.tar. 100%[============================================================================>] 119 --.-KB/s in 0s 2023-04-20 07:09:16 (21.4 MB/s) - ‘/home/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ saved [119/119] * gnupg-2.4.0.tar.bz2.sig BLAKE2B SHA512 size ;-) ... [ ok ] ===
i have http disabled on my proxy so i get the file from mirrors: >> Emerging (1 of 1) app-crypt/gnupg-2.4.0::gentoo * gnupg-2.4.0.tar.bz2 BLAKE2B SHA512 size ;-) ... [ ok ] >>> Downloading 'http://distfiles.gentoo.org/distfiles/ad/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:24-- http://distfiles.gentoo.org/distfiles/ad/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 403 Request blocked by Privoxy 2023-04-20 19:42:24 ERROR 403: Request blocked by Privoxy. >>> Downloading 'https://www.mirrorservice.org/sites/ftp.gnupg.org/gnupg/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:24-- https://www.mirrorservice.org/sites/ftp.gnupg.org/gnupg/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 404 Not Found 2023-04-20 19:42:25 ERROR 404: Not Found. >>> Downloading 'https://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:25-- https://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 200 OK Length: 238 [application/pgp-signature] Saving to: ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ /var/db/repos/gento 100%[===================>] 238 --.-KB/s in 0s 2023-04-20 19:42:27 (99,0 MB/s) - ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ saved [238/238] !!! Fetched file: gnupg-2.4.0.tar.bz2.sig VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 238 !!! Expected: 119 Refetching... File renamed to '/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig._checksum_failure_.fmtebx1d' >>> Downloading 'https://mirrors.dotsrc.org/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:27-- https://mirrors.dotsrc.org/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ /var/db/repos/gento 100%[===================>] 238 --.-KB/s in 0s 2023-04-20 19:42:28 (802 MB/s) - ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ saved [238/238] !!! Fetched file: gnupg-2.4.0.tar.bz2.sig VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 238 !!! Expected: 119 Refetching... File renamed to '/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig._checksum_failure_.fmtebx1d' >>> Downloading 'https://artfiles.org/gnupg.org/gnupg/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:28-- https://artfiles.org/gnupg.org/gnupg/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 404 Not Found 2023-04-20 19:42:28 ERROR 404: Not Found. >>> Downloading 'https://www.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:28-- https://www.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 200 OK Length: 238 [application/pgp-signature] Saving to: ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ /var/db/repos/gento 100%[===================>] 238 --.-KB/s in 0s 2023-04-20 19:42:29 (668 MB/s) - ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ saved [238/238] !!! Fetched file: gnupg-2.4.0.tar.bz2.sig VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 238 !!! Expected: 119 Refetching... File renamed to '/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig._checksum_failure_.fmtebx1d' >>> Downloading 'https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig' --2023-04-20 19:42:29-- https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.0.tar.bz2.sig Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 200 OK Length: 238 [application/pgp-signature] Saving to: ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ /var/db/repos/gento 100%[===================>] 238 --.-KB/s in 0s 2023-04-20 19:42:29 (92,3 MB/s) - ‘/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig.__download__’ saved [238/238] !!! Fetched file: gnupg-2.4.0.tar.bz2.sig VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 238 !!! Expected: 119 Refetching... File renamed to '/var/db/repos/gentoo/distfiles/gnupg-2.4.0.tar.bz2.sig._checksum_failure_.fmtebx1d'
It looks like an additional signature was appended to gnupg-2.4.0.tar.bz2.sig a few days after the initial release. The file on gentoo mirrors only has the first signature. % gpg --verify gnupg-2.4.0.tar.bz2.sig._checksum_failure_.fx54vn65 gnupg-2.4.0.tar.bz2 gpg: Signature made Fri 16 Dec 2022 12:24:40 PM EST gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA gpg: Signature made Wed 21 Dec 2022 01:02:59 AM EST gpg: using EDDSA key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD gpg: Good signature from "Niibe Yutaka (GnuPG Release Key)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
(In reply to Miroslav Šulc from comment #3) > i have http disabled on my proxy so i get the file from mirrors: You could set GENTOO_MIRRORS="https://distfiles.gentoo.org" to avoid this.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdb892ebc845603a20e03457a6e2a2e85fc661e commit 6cdb892ebc845603a20e03457a6e2a2e85fc661e Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2023-04-20 18:12:09 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2023-04-20 18:12:09 +0000 app-crypt/gnupg: update .sig entries in Manifest It appears upstream appended an additional signature. Closes: https://bugs.gentoo.org/904695 Signed-off-by: Mike Gilbert <floppym@gentoo.org> app-crypt/gnupg/Manifest | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
floppym: on the portage emirrordist side I don't recall if we have any alerting for upstream changing distfiles. If we don't would be good to add it.