Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 448120 - Digests don't match release
Summary: Digests don't match release
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other web server issues (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-21 21:42 UTC by ta2002
Modified: 2012-12-22 03:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ta2002 2012-12-21 21:42:28 UTC 
I am marking this critical because it is either a major mistake or the server has been compromised.


$ wget -S -c 'http://mirrors.us.kernel.org/gentoo//releases/x86/20121221/livedvd-x86-amd64-32ul-20121221.iso'

[...]

2012-12-21 20:58:58 (232 KB/s) - ‘livedvd-x86-amd64-32ul-20121221.iso’ saved [4103079936/4103079936]

[...]

$ dog livedvd-x86-amd64-32ul-20121221.iso.DIGESTS
# MD5 HASH
b83fde344c7231e7946b1541198a56cd  livedvd-x86-amd64-32ul-20121221.iso
23cd450773806f9cc79164c4b3eeeec7  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS
7310d5e025fc9202bd58a581be53befe  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS-squashfs.gz
64cda8d78c1b2eff4a53226dbb21a3ed  livedvd-x86-amd64-32ul-20121221.iso.PACKAGES
38f0954203934175f751fe15ab80891c  livedvd-x86-amd64-32ul-20121221.iso.CREDITS
# SHA1 HASH
602030605540d03d9814805311971cd7f5eeca46  livedvd-x86-amd64-32ul-20121221.iso
e8ff5cf6dfb26ba5ef7c434366de92ee0f088ddd  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS
8f21f09b5ec1b3667a97aaf170e4414216634d43  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS-squashfs.gz
c885591f5339a15dfa779cf69fbc1dca0c95e79e  livedvd-x86-amd64-32ul-20121221.iso.PACKAGES
8ef4fb0cb07d69be624f5f66aa5a0f0717b2ee20  livedvd-x86-amd64-32ul-20121221.iso.CREDITS
# SHA512 HASH
4cd389fe5e8616fbb7a6d5eb6a717a7624b8e8750ae0c800014b7703ed9254b3d5fab7136373d23333da4d9168edbba0e93758ce68ba5e7f5341dea2a052f4ad  livedvd-x86-amd64-32ul-20121221.iso
753d91d99657bc35a20775d7f6dccd799fddc3a27608d52276c5a9af16b8307267759e2db2d84bc39542805f80896bce33c1623857e318f1d60354b78264f393  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS
31c5d00b2e490357275f6f767e1e9f8711df41fb4a994f29ddba846f404f6eaf4e919c859ce45f2dc182ca78999339aec2c28b36dfeb3ae515def15684f43368  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS-squashfs.gz
d0f0b96771e95b11679abed9089db60a60b70475665de408718af2537e7fa735edc7a47606183545c7b397162c09f792d8f763d5a3aba79f47a7c88cc599cab1  livedvd-x86-amd64-32ul-20121221.iso.PACKAGES
de602df31e51aa5388b70ffee306f51746231ff29aa17ca1fd489975008e42ac25c9c3ed46ad8df4547c1d59f4ca6450796d411f82e719b9f0c00bf47ea0b259  livedvd-x86-amd64-32ul-20121221.iso.CREDITS
# WHIRLPOOL HASH
c01076cedd84d9cafad5b460ceb80342bd027cfbeed034fe7f77ef1ab2971058d99017b7571b1004b7fbe0dfe433244a15b8f6a081bdc9e2ffc4df941bce8df4  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS
3a9062c258e9020eb568f7ee1045c3ad681cb770837a78faf2167bb94d395b78c0d8ff82cbb8f9b5cb42bfd31e6ea3c83d49c429f7e629e5948fa72369cd46a7  livedvd-x86-amd64-32ul-20121221.iso.CONTENTS-squashfs.gz
3e3cca1cd8cc881ddb55f3906acb2aad8d76eeea6afe869fc0546547b02f216e0e24b7f82d3b94bce522335e030cdc2a4be85c49e06183a91ed2a9dc87c362c7  livedvd-x86-amd64-32ul-20121221.iso.PACKAGES
5abd4e297a7e2f803e513bde9bb09c12be62731eb700f22fba39987c3bd7d155824170e0deac675c3dba020551ca14c838a4ca99359a220ee8c5bef94b895dbb  livedvd-x86-amd64-32ul-20121221.iso
906953437014cbc79ed20b5e18314e4d729bd45f35aaf9327d71ebc2c83d738c7ae0edcc5ec41471f3be9f8d3d9a40c49e3af16dce3ac47eeba633df98083986  livedvd-x86-amd64-32ul-20121221.iso.CREDITS

$ sha1sum livedvd-x86-amd64-32ul-20121221.iso
c9c07179c949330bc3b399765e35d5cf5e28a380  livedvd-x86-amd64-32ul-20121221.iso


(just in case there was some strange glitch):

$ rsync -acvz --inplace --progress rsync://mirror.mcs.anl.gov/gentoo/releases/x86/20121221/livedvd-x86-amd64-32ul-20121221.iso livedvd-x86-amd64-32ul-20121221.iso
receiving incremental file list

sent 31 bytes  received 110 bytes  0.84 bytes/sec
total size is 4103079936  speedup is 29099857.70

$ md5sum livedvd-x86-amd64-32ul-20121221.iso
f44b4f0a7071d0b16f8035209082e09e  livedvd-x86-amd64-32ul-20121221.iso

$ sha1sum livedvd-x86-amd64-32ul-20121221.iso
c9c07179c949330bc3b399765e35d5cf5e28a380  livedvd-x86-amd64-32ul-20121221.iso

$ sha512sum livedvd-x86-amd64-32ul-20121221.iso
6d0ef2f1694f5c0424822f59e001a418b9d0c8520a44482cb8fea367439f65d01d1bdcce00c365fee3f505e3bb11060f4f8953d198c46d6d5008d806e4745d42  livedvd-x86-amd64-32ul-20121221.iso


Obviously, I will not be using this image until the verification issue is resolved.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-12-21 22:46:18 UTC 
I'm checking it.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-12-21 22:48:35 UTC 
From the masterreleases box, I think some corruption crept into the one ISO, I'm trying to figure out why.

$ f=livedvd-amd64-multilib-20121221.iso.DIGESTS.asc ; gpg  --verify $f && sha1sum -c $f
gpg: Signature made Fri Dec 21 02:07:11 2012 UTC using DSA key ID 17072058
gpg: Good signature from "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D99E AC73 79A8 50BC E47D  A5F2 9E64 38C8 1707 2058
livedvd-amd64-multilib-20121221.iso: OK
livedvd-amd64-multilib-20121221.iso.CONTENTS: OK
livedvd-amd64-multilib-20121221.iso.CONTENTS-squashfs.gz: OK
livedvd-amd64-multilib-20121221.iso.CREDITS: OK
livedvd-amd64-multilib-20121221.iso.PACKAGES: OK
sha1sum: WARNING: 25 lines are improperly formatted

$ f=livedvd-x86-amd64-32ul-20121221.iso.DIGESTS.asc ; gpg  --verify $f && sha1sum -c $f
gpg: Signature made Thu Dec 20 23:39:09 2012 UTC using DSA key ID 17072058
gpg: Good signature from "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D99E AC73 79A8 50BC E47D  A5F2 9E64 38C8 1707 2058
livedvd-x86-amd64-32ul-20121221.iso: FAILED
livedvd-x86-amd64-32ul-20121221.iso.CONTENTS: OK
livedvd-x86-amd64-32ul-20121221.iso.CONTENTS-squashfs.gz: OK
livedvd-x86-amd64-32ul-20121221.iso.PACKAGES: OK
livedvd-x86-amd64-32ul-20121221.iso.CREDITS: OK
sha1sum: WARNING: 25 lines are improperly formatted
sha1sum: WARNING: 1 computed checksum did NOT match
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-12-22 00:19:55 UTC 
Ok, that one iso ended up with a copy of the checksums appended at the end, probably me fat-fingering it when I was signing the digest. It's exactly 2048 bytes too large, and that single 2k of data just has checksums.

If you want to fix it without redownloading:
# truncate -s 4103077888 livedvd-x86-amd64-32ul-20121221.iso

The mirror copy has been fixed.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-12-22 03:03:44 UTC 
*** Bug 448144 has been marked as a duplicate of this bug. ***