:: Re: [DNG] beowulf-security (armhf)
Top Page
Delete this message
Reply to this message
Author: Florian Zieboll
Date:  
To: dng
Subject: Re: [DNG] beowulf-security (armhf)
On Mon, 21 Dec 2020 11:49:47 +0100
"dng@???" <dng@???> wrote:

> On 21-12-2020 11:41, Florian Zieboll via Dng wrote:
> > Hallo,
> >
> > since yesterday, on /one/ of my two 'armhf' SBCs running Beowulf,
> > updating the available packages from the 'beowulf-security' repo at
> > 'http://deb.devuan.org/merged/' fails with a hash sum mismatch:
> >
> >     E: Failed to fetch
> >     http://deb.devuan.org/merged/dists/beowulf-security/main/binary-armhf/Packages.gz
> >     Hash Sum mismatch Hashes of expected file:
> >         - Filesize:313442 [weak]
> >         -
> >     SHA256:8bb364c5751d0f71cec2b6f62e460430dc10255dbdaa04824f8b4f4bfdb4056d
> >     Hashes of received file:
> >         -
> >     SHA256:e88fc4cfd052a1eab057ff1c61fbaa31e00d926bd513e9f629a9def18492bcc9
> >         - Filesize:313442 [weak]
> >        Last modification reported: Mon, 21 Dec 2020 03:21:07 +0000
> >        Release file created at: Mon, 21 Dec 2020 03:30:03 +0000

> >
> > I tried to update using TLS, but then I get a cert error:
> >
> >     Err:4 https://deb.devuan.org/merged beowulf-security
> >     Release Certificate verification failed: The certificate is NOT
> >     trusted. The name in the certificate does not match the
> > expected. Could not handshake: Error in the certificate
> > verification. [IP: 195.85.215.180 443]

> >
> > The served certificate had been issued for 'devuan.packet-gain.de':
> >
> >     Serial Number
> >     03:BD:C3:B7:3A:5C:21:6F:C2:AE:E3:EE:7F:EB:25:C6:64:0B

> >
> >     SHA-256
> >     24:8E:31:3C:3D:41:98:FC:CC:33:5A:D1:5A:70:4E:43:84:19:FF:9E:7E:B9:51:D6:49:A2:95:86:A4:9B:7B:AB

> >
> >     SHA-1
> >     D9:91:FF:59:E0:0E:86:1C:81:57:C0:EF:C2:71:72:04:8C:33:D8:5E

> >
> > The same happens with 'http://pkgmaster.devuan.org/merged' - as
> > already mentioned only with one device, the other one updates fine.
> >
> > Is there any spare light to be shed on this issue?
> >
> > Thanks and best regards,
> > Florian
> >
>
> You could try to use https://devuan.packet-gain.de temporary instead
> of http://deb.devuan.org/merged/.



Hallo Nick,

thank you for the suggestion, but this solves the server certificate
problem only: The hash sum mismatch for the release file afterwards
remains. I suspect(ed, see below) a local issue on my side, as my other
armhf beowulf device with the identical 'beowulf-security' line in the
'sources.list' updates (updated) fine.

I tried with two suggestions from a websearch:

After running

    $ apt-get clean
    $ rm -rf /var/lib/apt/lists/*
    $ apt-get clean


'apt update' came up with a second hashsum mismatch, for the
'beowulf/main' repository. Now I get

    E: Failed to fetch http://deb.devuan.org/merged/dists/beowulf/main/binary-armhf/Packages.gz  Hash Sum mismatch
       Hashes of expected file:
        - Filesize:10453353 [weak]
        - SHA256:82e4bb0928025f1aa75bdb03eab02ff23c213531feb135a418f17c3c70e59e41
       Hashes of received file:
        - SHA256:80faa01ad41a6b626c699919112b8d5800db448f1237a5bdd3196f05b71a2f2d
        - Filesize:10453353 [weak]
       Last modification reported: Mon, 21 Dec 2020 03:21:00 +0000
       Release file created at: Mon, 21 Dec 2020 03:30:02 +0000
    E: Failed to fetch http://deb.devuan.org/merged/dists/beowulf/main/Contents-armhf.gz  
    E: Failed to fetch http://deb.devuan.org/merged/dists/beowulf-security/main/binary-armhf/Packages.gz  Hash Sum mismatch
       Hashes of expected file:
        - Filesize:313442 [weak]
        - SHA256:8bb364c5751d0f71cec2b6f62e460430dc10255dbdaa04824f8b4f4bfdb4056d
       Hashes of received file:
        - SHA256:e88fc4cfd052a1eab057ff1c61fbaa31e00d926bd513e9f629a9def18492bcc9
        - Filesize:313442 [weak]
       Last modification reported: Mon, 21 Dec 2020 03:21:07 +0000
       Release file created at: Mon, 21 Dec 2020 03:30:03 +0000
    E: Failed to fetch http://deb.devuan.org/merged/dists/beowulf-security/main/Contents-armhf.gz  



Running

    $ apt-get -o Acquire::BrokenProxy="true" -o Acquire::http::No-Cache="true" -o Acquire::http::Pipeline-Depth="0" update


did not result in any further changes, also after repeating the 'apt
clean' attempt. Therefore, with these two repos not available, the
upgrade wants to pull in all the packages from pinned (150) backports.


In the meantime, my other 'armhf' device started to get hash sum mismatches
on update as well. For better visibility, I embezzle the third error for
'beowulf-updates':

    E: Failed to fetch http://deb.devuan.org/merged/dists/beowulf/main/Contents-armhf.gz  Hash Sum mismatch
       Hashes of expected file:
        - Filesize:31984703 [weak]
        - SHA256:b2c022ec6bfc1544e75a4c4619e525c4028fdee374ea5af5723cfe501d3986be
       Hashes of received file:
        - SHA256:1bf6ed78d1d42ff2742845e31eedd35a97e90657aea0779715a5ca0ba365bfd2
        - Filesize:31984703 [weak]
       Last modification reported: Sun, 20 Dec 2020 01:36:34 +0000
       Release file created at: Mon, 21 Dec 2020 03:30:02 +0000
    E: Failed to fetch http://deb.devuan.org/merged/dists/beowulf-security/main/Contents-armhf.gz  Hash Sum mismatch
       Hashes of expected file:
        - Filesize:36 [weak]
        - SHA256:77a4c02b866715c333d61d7f0968893bfccc4bd3f19dadf74178b0a722c05cf2
       Hashes of received file:
        - SHA256:8a54ddffbc409e34ac4c037acf36a6c2b6ac8a44a66ec798c37a097c9f341f9a
        - Filesize:36 [weak]
       Last modification reported: Sun, 20 Dec 2020 01:36:39 +0000
       Release file created at: Mon, 21 Dec 2020 03:30:03 +0000



Interestingly, both systems seem to expect different files (regarding
file size and hash), while on each system the 'expected' and 'received'
file sizes do concur with each other and the rejected files' hashes do
not change over several runs.


thanks and libre Grüße,
Florian