:: Re: [DNG] BAD sig with Devuan Jessi…
Kezdőlap
Delete this message
Reply to this message
Szerző: Miroslav Rovis
Dátum:  
Címzett: dng
Tárgy: Re: [DNG] BAD sig with Devuan Jessie 1.0.0-RC
Thanks, Rick Moen (in the other short reply, where he suggested pasting
somewhere, what? the trace?, probably not... But the hashes *are* there
in my previous mail, and thanks to PGP they are verifiably exactly what
I sent...)... But I'll see to the missing information. I'm now starting
more serious work on this.

On 170423-17:24+0200, Miroslav Rovis wrote:
> I already sent this message, but it's 110k altogether, and it's awaiting:
>

...
> Because I'm removing the network trace, which is 83k, and makes the
> mail 110k (because of base64). The rest is the same as in previous email
> which is awaiting moderation.
>

...
> ( $ wget \
> https://files.devuan.org/devuan_jessie_rc/installer-iso/devuan_jessie_1.0.0-RC_amd64_DVD.iso
> )


Pls. see about these below in my previous email:
> But let's get the possibility that the hash and sig files that I also downloaded
> from:
> https://files.devuan.org/devuan_jessie_rc/installer-iso/
>
> are to blame.


In the mail the moderators let through there is (I'll post that email at:

https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/
### --> non-existent at the time of writing this <-- ####

along with other stuff, more below on my plans)
> The shortest is the network trace upon getting the BAD signature upon
> verification, attached (minimal anonymization of just the MACs with done
> on it as per my script dump_perl_repl.sh avalable at
> https://github.com/miroR/uncenz ):
>
> dump_170423_1642_g0n.pcap


And I'll post that now hours old trace above too (reading the network is
such slow work...).

> which is all in cleartext (no SSL), because I redownloaded
>
> wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
> and
> wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS
>


et cetera...

What I reported is still the case (well it was half an hour or one hour
ago when I started writing this very email that you're reading)...

This is actual paste from terminal (I removed just what is before $):

$ wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
--2017-04-23 21:02:35-- https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
Resolving files.devuan.org... 104.236.249.173
Connecting to files.devuan.org|104.236.249.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1513 (1.5K) [application/octet-stream]
Saving to: ‘SHA256SUMS.asc’

SHA256SUMS.asc              100%[========================================>]   1.48K  --.-KB/s    in 0s      


2017-04-23 21:02:35 (36.1 MB/s) - ‘SHA256SUMS.asc’ saved [1513/1513]

$ wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
--2017-04-23 21:02:37-- https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
Resolving files.devuan.org... 104.236.249.173
Connecting to files.devuan.org|104.236.249.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 621 [application/octet-stream]
Saving to: ‘SHA256SUMS’

SHA256SUMS                  100%[========================================>]     621  --.-KB/s    in 0s      


2017-04-23 21:02:38 (9.67 MB/s) - ‘SHA256SUMS’ saved [621/621]

$ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Sat 22 Apr 2017 09:44:23 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: BAD signature from "Denis Roio (Jaromil) <jaromil@???>" [unknown]
$ gpg --recv-key 73B35DA54ACB7D10
gpg: key 73B35DA54ACB7D10: "Denis Roio (Jaromil) <jaromil@???>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ grep devuan_jessie_1.0.0-RC_amd64_DVD.iso SHA256SUMS
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837  devuan_jessie_1.0.0-RC_amd64_DVD.iso
$ grep devuan_jessie_1.0.0-RC_amd64_DVD.iso SHA256SUMS > SHA256SUMS_CHECK
$ cat SHA256SUMS_CHECK
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837  devuan_jessie_1.0.0-RC_amd64_DVD.iso
$ sha256sum -c SHA256SUMS_CHECK
devuan_jessie_1.0.0-RC_amd64_DVD.iso: OK
$


I've got this trace:

a82af49c5c65aeb83e5cc4b136c38041d44121d029b3b662f7315008d87f30ac dump_170423_2102_g0n.pcap
f29ee5925bd400168b48cdcfef192be5d5d6ed9c90a80cde6c1a8591371be16d dump_170423_2102_g0n_SSLKEYLOGFILE.txt

for the above event.

I'll be working on this, whatever be the reason for the BAD sig on that hash,
that it be trivial forgetfulness or that it be MiTM deployed, because it is exactly
for reasons like this that I put together my: https://github.com/miroR/uncenz

If I don't break, it should be on:

https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/

(non-existent directory at the time of writing of this email, and it
will be not just a little bit of work...)

What are the reasons that I put together my uncenz? (Which, BTW it would
be great if a real programmer made it something more generally useable,
because my skills are too insufficient...)

E.g. if anybody used my uncenz to record those events that are now
undocumented, and I say they are undocumented because this:

Why I don't want to have Pöttersoft on mysystem
https://lists.dyne.org/lurker/message/20170417.151111.69a2f3e0.en.html

is just a say-so, even though by respectable author, that's not verifiably reported event...

But if somebody alerted me to record it with my uncenz, it would have
been documented for posterity... (Granted also that I would have been
available in time, which, sadly is just not always the case, I work
terribly slow...)

And if this PGP-signature failing is an attack or if it is a blunder, I
really don't know. But I also don't want anybody to think that my claims
are just mistakes of a user who is that badly incapable, I don't want
that either...

---

Pls., so I can try and start installing Devuan for real, can any of you
developers in charge PGP-sign an answer to this question of mine with
your PGP-key, so I can believe that I got genuine Devuan media? Pls. sign
your answer to the following question:

Is this media:

devuan_jessie_1.0.0-RC_amd64_DVD.iso

from:

https://files.devuan.org/devuan_jessie_rc/

correct if its hash is:

f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso

?

Thank you!

---
I'm also attaching the SHA256SUMS.asc SHA256SUMS from the new event
futher above (and they are the same ones as in my previous email!, just
this time gotten anew; however, they will be extractable from the trace
once I post it at the already mentioned, at the time of writing
inexistent url on CroatiaFidelis.hr), reported by the paste from my
terminal, and also which network trace, and the effemeral SSL-keys hash
like below:

a82af49c5c65aeb83e5cc4b136c38041d44121d029b3b662f7315008d87f30ac dump_170423_2102_g0n.pcap
f29ee5925bd400168b48cdcfef192be5d5d6ed9c90a80cde6c1a8591371be16d dump_170423_2102_g0n_SSLKEYLOGFILE.txt

(
but of course, I'm not attaching those, they will be on:
https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/
--at the time of writing inexistent--
if I don't break in the meantime, ermh... from mental stress ;-(
)

Thanks again if any of you devs in charge confirm that the SHA256 sum
that I downloaded is correct! And thanks for everybody's patience (of
which more will likely be needed)...

--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
39ac1f1cdd007e998a99b6ba083ee230df1178c2675dff06356afd8724829e8c devuan_jessie_1.0.0-RC_amd64_CD.iso
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso
d418998acbae2a7c6a60430c6192e13da7c8ad14da4a63fafe3b08a79621914d devuan_jessie_1.0.0-RC_amd64_NETINST.iso
0e7b035065f8edb2382c33be399084db75310e24c8202f7eda0f6446d4cee243 devuan_jessie_1.0.0-RC_i386_CD.iso
c8503f5196a2fc5663d277f2e4741fed17028011bbb4cd1fcb1dfc0751036eb1 devuan_jessie_1.0.0-RC_i386_DVD.iso
ac8314c6289542f6dd988290a58f491c267aa7dfd0db98be4d974b70cef5dd4d devuan_jessie_1.0.0-RC_i386_NETINST.iso