https://blogs.gentoo.org/ago/2020/07/04/gentoo-tinderbox/ Issue: net-im/skypeforlinux-8.96.0.408 fails to fetch. Discovered on: amd64 (internal ref: ci)
Created attachment 860115 [details] build.log build log and emerge --info
Error(s) that match a know pattern: * Fetch failed for 'net-im/skypeforlinux-8.96.0.408', Log file:
*** Bug 904362 has been marked as a duplicate of this bug. ***
Hello everybody! As this bug is not yet fixed, I believe this will help: !!! Fetched file: skypeforlinux_8.96.0.408-1.x86_64.rpm VERIFY FAILED! !!! Reason: Failed on BLAKE2B verification !!! Got: ae5f6b021bcac9817d3bda272a97a4af50a280cd36a5dedd4df9d4cf0c3d7cec320468b7a9d9f6154ef1bb61007379d8e5112534c61c9a2a49f24e197e5e83df !!! Expected: 22dabd44f7465a777d15ddfd9b234df331e381c84dda60b44c6f6681c455cd7c1a8244b7b7b521d8ca43938d5ba68378232c983b2aae4efe1561927060009192 I believe the error is in the Manifest file... My greetings!
Apparently, the source RPM file is changed periodically. I compared two files downloaded today and yesterday. These files have different timestamps in the RSA/SHA256 signature, here is the diff from "rpm -qi" output: < Signature : RSA/SHA256, Mon Apr 17 12:06:05 2023, Key ID 1f3045a5df7587c3 --- > Signature : RSA/SHA256, Sun Apr 16 14:21:05 2023, Key ID 1f3045a5df7587c3 I hope, that at some time they will stop signing RPM files on the daily basis, and after that the checksum in the Manifest can be updated.
Hi Alexander Danilov, Would it be possible to store the rpm in Gentoo distfiles, since the upstream is not reliable?
I do not know, I am not a maintainer of this package. The ebuild explicitly restrict mirroring, may be due to licensing issues.
(In reply to Samuel Bernardo from comment #6) > Hi Alexander Danilov, > Would it be possible to store the rpm in Gentoo distfiles, since the > upstream is not reliable? Nope, far too legally tricky. If they continue on changing the rpms daily, we might have to remove Skype from Gentoo.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f32d996a73f27e67fc0fec6c374283f6e9a118f3 commit f32d996a73f27e67fc0fec6c374283f6e9a118f3 Author: David Seifert <soap@gentoo.org> AuthorDate: 2023-04-17 18:05:10 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-04-17 18:05:10 +0000 net-im/skypeforlinux: update Manifest Closes: https://bugs.gentoo.org/904352 Signed-off-by: David Seifert <soap@gentoo.org> net-im/skypeforlinux/Manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like they already changed the file again.
Something stinks. I imported the ebuild into my local overlay and updated the manifest. Thirty seconds later, when I tried to merge it, portage complained about the wrong checksum. So, I removed the rpm from distfiles and updated the manifest again. Long behold, a different checksum this time around. Was it just pure luck on my end? Did I end up catching the window when they silently uploaded the rpm again? I don't know. DIST skypeforlinux_8.96.0.408-1.x86_64.rpm 124598879 BLAKE2B bf07e7a50ae445a6e768b1b05b4c1dcd598a05f62c2978da0876c196526b75e8af582b47c40e4f642869141ba81631c988a86be653711fb12cd066c1278aa08d SHA512 da7245a42ee9dd211eb839c8267c7f94de0a3e262b4b59caeb74d445dded1aa98869cebfbf9123b879a441abcd3dcfe55a67600156a9ca0ce3198c43a884363d And 30 seconds later : DIST skypeforlinux_8.96.0.408-1.x86_64.rpm 124598879 BLAKE2B bf07e7a50ae445a6e768b1b05b4c1dcd598a05f62c2978da0876c196526b75e8af582b47c40e4f642869141ba81631c988a86be653711fb12cd066c1278aa08d SHA512 da7245a42ee9dd211eb839c8267c7f94de0a3e262b4b59caeb74d445dded1aa98869cebfbf9123b879a441abcd3dcfe55a67600156a9ca0ce3198c43a884363d I wouldn't be surprised if it changes once again, shortly.
Sorry, the first manifest was supposed to be : DIST skypeforlinux_8.96.0.408-1.x86_64.rpm 124598879 BLAKE2B b950bff81552852491f24a18b9bbe072383e381843d567a78e75ded36bf4e17389ef4e9103c47821545c256f00cbf00d9a0dbee31723250fca3b679d9ef0cdc6 SHA512 e140e9b1b916d8cbf2f4717705808df3d37cf2459c412168fc732dd2705413ff32aeb3af201c0f914c716b8da2d6adc45c0948ff17c3ecdb143b360583becb26 followed by : DIST skypeforlinux_8.96.0.408-1.x86_64.rpm 124598879 BLAKE2B bf07e7a50ae445a6e768b1b05b4c1dcd598a05f62c2978da0876c196526b75e8af582b47c40e4f642869141ba81631c988a86be653711fb12cd066c1278aa08d SHA512 da7245a42ee9dd211eb839c8267c7f94de0a3e262b4b59caeb74d445dded1aa98869cebfbf9123b879a441abcd3dcfe55a67600156a9ca0ce3198c43a884363d
Created attachment 860285 [details] random checksum Seems like with every download, the file has a different checksum. Hope someone else can reproduce this.
Finally got it to emerge. I synced and emerge skypeforlinux It downloaded again and failed I then mv the rpm.bad_checksum file to the root name.rpm I then ebuild —force /var/db/repos/gentoo/net-im/skypeforlinux/….ebuild manifest Then the emerge skype successfully built
Can someone run diffoscope on two different versions of the rpm?
I think gentoo should host a copy of rpm file in order to avoid checksum failures.
(In reply to amano.kenji from comment #16) > I think gentoo should host a copy of rpm file in order to avoid checksum > failures. https://bugs.gentoo.org/904352#c8
*** Bug 904485 has been marked as a duplicate of this bug. ***
(In reply to Sam James from comment #17) > https://bugs.gentoo.org/904352#c8 Screw microsoft. Screw everyone who believes in and enforces this legal bullshit.
diffoscope only shows differences in SIGPGP and RSAHEADER It looks like some CI script on the upstream part is signing the latest RPM every 5 minutes. However, since upstream repo is served through CDN, these RPM files are not mirrored instantly. If I pick different public DNS servers (in order to get different target IPs for CDN) and query modification times of the latest RPM file, they all will be different. I also noticed, that repodata/repomd.xml.asc is also updated every 5 minutes. However, since this file is very small, it is instantly mirrored across CDN. You can use the following code to query modification times with 20 random DNS servers: latest rpm: curl -s https://public-dns.info/nameservers.txt | sort -R | head -n 20 | while read dns; do echo $dns; curl -s --connect-timeout 10 --dns-servers $dns -I https://repo.skype.com/rpm/stable/skypeforlinux_8.96.0.408-1.x86_64.rpm | grep Last-Modified; done repomd.xml.asc: curl -s https://public-dns.info/nameservers.txt | sort -R | head -n 20 | while read dns; do echo $dns; curl -s --connect-timeout 10 --dns-servers $dns -I https://repo.skype.com/rpm/stable/repodata/repomd.xml.asc | grep Last-Modified; done Security tip for those, who want to check GPG-signature of RPM file (no root required) and override Manifest manually: 1. Download RPM file from https://repo.skype.com/rpm/stable/skypeforlinux_8.96.0.408-1.x86_64.rpm 2. Download GPG key from https://repo.skype.com/data/SKYPE-GPG-KEY 3. Check key fingerprint (mine is D404 0146 BE39 7250 9FD5 7FC7 1F30 45A5 DF75 87C3, which looks legit, but you should not trust me, better check for yourself) gpg --show-keys --with-fingerprint SKYPE-GPG-KEY 4. Import key to rpm database (I use dummy dir /tmp/dummy_root in order to not alter the real system): rpm --root /tmp/dummy_root --import SKYPE-GPG-KEY 5. Check RPM file signatures (should be "digests signatures OK"): rpm --root /tmp/dummy_root --checksig skypeforlinux_8.96.0.408-1.x86_64.rpm 6. Delete dummy rpm database: rm -rf /tmp/dummy_root
Is the .deb file also affected? Is the package format being used in Arch for example
deb should work per: https://aur.archlinux.org/packages/skypeforlinux-preview-bin#comment-910430 https://aur.archlinux.org/cgit/aur.git/commit/?h=skypeforlinux-stable-bin&id=1ccc527e04782a2c020ecbeae35db40f82847cb9
(In reply to amano.kenji from comment #19) > (In reply to Sam James from comment #17) > > https://bugs.gentoo.org/904352#c8 > > Screw microsoft. Screw everyone who believes in and enforces this legal > bullshit. The Gentoo Foundation is also based on "this legal bullshit". You can choose to ignore it personally, but I believe the Foundation doesn't want to take risks on a field they're playing. Anyway looks like there are solutions for this rather annoying problem.
(In reply to Joonas Niilola from comment #23) > The Gentoo Foundation is also based on "this legal bullshit". You can choose > to ignore it personally, but I believe the Foundation doesn't want to take > risks on a field they're playing. > > Anyway looks like there are solutions for this rather annoying problem. I know people can't just ignore governments with monopoly on violence. I'm just saying it's wrong. The fact that we can't ignore violence doesn't mean we shouldn't speak out against it.
Gentoo Linux's bug tracker is not the place for it.
https://github.com/gentoo/gentoo/pull/30657 PR submitted. DEB file seems unaffected.
Has this been reported upstream?
(In reply to Ulrich Müller from comment #27) > Has this been reported upstream? It has, but do you really think Microsoft will care?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b64d7d797b322a0405c9de08cd832d0ebd03210c commit b64d7d797b322a0405c9de08cd832d0ebd03210c Author: V3n3RiX <venerix@koprulu.sector> AuthorDate: 2023-04-19 21:43:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-22 14:25:59 +0000 net-im/skypeforlinux: use .deb build as source due to checksum errors with RPM build [sam: The RPM seems to be being re-signed every 5 minutes. Switch to the .deb which doesn't have this problem.] Closes: https://bugs.gentoo.org/904352 Signed-off-by: Ghiunhan Mamut <venerix@redcorelinux.org> Closes: https://github.com/gentoo/gentoo/pull/30657 Signed-off-by: Sam James <sam@gentoo.org> net-im/skypeforlinux/Manifest | 2 +- net-im/skypeforlinux/skypeforlinux-8.96.0.408.ebuild | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
