[
https://issues.apache.org/jira/browse/OPENMEETINGS-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Georg Pfuetzenreuter updated OPENMEETINGS-2720:
-----------------------------------------------
Description:
Hi,
Hoping this has not already been discussed in a ticket my search query did not
cover.
I noticed all the SHA512 sums do not match the archive files, and the
signatures all verify as BAD - besides the SHA512 files not being formatted
properly:
{code:java}
## TAR binary
$ sha512sum -c apache-openmeetings-6.2.0.tar.gz
sha512sum: apache-openmeetings-6.2.0.tar.gz: no properly formatted SHA512
checksum lines found
$ cat apache-openmeetings-6.2.0.tar.gz.sha512
37a42ce7b4ee954013c09820e6501f8996d357327cebeff1e8b125ba3dc74f86f961d2175c81ec7951ce30b255ec833f3118465b838aa543dac3b7a9f85452ca
$ sha512sum apache-openmeetings-6.2.0.tar.gz
69373cf1bb1c2a7344a0e8554bccdb999dd360dda0c6fe653c0936a38c3e4a7c62c95a0a33734d0a88e01bf53930fd5d38efaadce42f88ce57dbb88572f82dda
apache-openmeetings-6.2.0.tar.gz
$ gpg --verify apache-openmeetings-6.2.0.tar.gz.asc
apache-openmeetings-6.2.0.tar.gz
gpg: Signature made Thu 21 Oct 2021 10:20:02 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
## ZIP binary
$ sha512sum -c apache-openmeetings-6.2.0.zip.sha512
sha512sum: apache-openmeetings-6.2.0.zip.sha512: no properly formatted SHA512
checksum lines found
$ cat apache-openmeetings-6.2.0.zip.sha512
95271a35856ea2f80795f30a032f4677f2e5232dcf329ad727897ff48144a31fccfd320b250c4f9ce147c5b7c31f8d437fe487e29df9eb4e3181c36a3546d585
$ sha512sum apache-openmeetings-6.2.0.zip
7270b3c006d2a1000caa1c1e4f1cc850c74631a821343b8433d81605d048907742b5ced76db02154cad0a215726335ebbb1fc55e741b9474c6d4a09eb51bf645
apache-openmeetings-6.2.0.zip
$ gpg --verify apache-openmeetings-6.2.0.zip.asc apache-openmeetings-6.2.0.zip
gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
## TAR SOURCE
$ sha512sum -c apache-openmeetings-6.2.0-src.tar.gz.sha512
sha512sum: apache-openmeetings-6.2.0-src.tar.gz.sha512: no properly formatted
SHA512 checksum lines found
$ cat apache-openmeetings-6.2.0-src.tar.gz.sha512
dc93c6ea409a560c588babac09d0eea3008ce0c4656061c10b8a0b10ed6a832dea010a7855df8f238dfaf80fdf8b13f57966b7c169952ada8063baaa5f3779c9
$ sha512sum apache-openmeetings-6.2.0-src.tar.gz
7debb392b67eec85c6444dd64d0ca3ecc3753025a2bf96cac8224085caded9cfac016c0844f420a280676bdf366daecc01d1fd4377f42d8ad8e8025b42427f83
apache-openmeetings-6.2.0-src.tar.gz
$ gpg --verify apache-openmeetings-6.2.0-src.tar.gz.asc
apache-openmeetings-6.2.0-src.tar.gz
gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
##ZIP SOURCE
$ sha512sum -c apache-openmeetings-6.2.0-src.zip.sha512
sha512sum: apache-openmeetings-6.2.0-src.zip.sha512: no properly formatted
SHA512 checksum lines found
$ cat apache-openmeetings-6.2.0-src.zip.sha512
86f1ee26f0edd3ee3c4de078380951e634e2c207b1e3653ea6f3b0c4569320effc8d195e7afb8353401a6e8cba6be3d6dcda58c4bfcffef41de7889d778098d5
$ gpg --verify apache-openmeetings-6.2.0-src.zip.asc
apache-openmeetings-6.2.0-src.zip
gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
{code}
I acquired the files and the public keys using the links on this page:
[https://openmeetings.apache.org/downloads.html]
Given that it shows the same behavior on all files I assume the issue is not on
my end.
Is this project still maintained?
If so, it would be fantastic if the signatures and checksums could be repaired.
If not, I suggest placing a notice on the download page.
Thanks for your great work with this software!
Best,
Georg
was:
Hi,
Hoping this has not already been discussed in a ticket my search query did not
cover.
I noticed all the SHA512 sums do not match the archive files, and the
signatures all verify as BAD - besides the SHA512 files not being formatted
properly:
{code:java}
$ sha512sum -c apache-openmeetings-6.2.0.tar.gz
sha512sum: apache-openmeetings-6.2.0.tar.gz: no properly formatted SHA512
checksum lines found
$ cat apache-openmeetings-6.2.0.tar.gz.sha512
37a42ce7b4ee954013c09820e6501f8996d357327cebeff1e8b125ba3dc74f86f961d2175c81ec7951ce30b255ec833f3118465b838aa543dac3b7a9f85452ca
$ sha512sum apache-openmeetings-6.2.0.tar.gz
69373cf1bb1c2a7344a0e8554bccdb999dd360dda0c6fe653c0936a38c3e4a7c62c95a0a33734d0a88e01bf53930fd5d38efaadce42f88ce57dbb88572f82dda
apache-openmeetings-6.2.0.tar.gz
$ gpg --verify apache-openmeetings-6.2.0.tar.gz.asc
apache-openmeetings-6.2.0.tar.gz
gpg: Signature made Thu 21 Oct 2021 10:20:02 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
$ sha512sum -c apache-openmeetings-6.2.0.zip.sha512
sha512sum: apache-openmeetings-6.2.0.zip.sha512: no properly formatted SHA512
checksum lines found
$ cat apache-openmeetings-6.2.0.zip.sha512
95271a35856ea2f80795f30a032f4677f2e5232dcf329ad727897ff48144a31fccfd320b250c4f9ce147c5b7c31f8d437fe487e29df9eb4e3181c36a3546d585
$ sha512sum apache-openmeetings-6.2.0.zip
7270b3c006d2a1000caa1c1e4f1cc850c74631a821343b8433d81605d048907742b5ced76db02154cad0a215726335ebbb1fc55e741b9474c6d4a09eb51bf645
apache-openmeetings-6.2.0.zip
$ gpg --verify apache-openmeetings-6.2.0.zip.asc apache-openmeetings-6.2.0.zip
gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
$ sha512sum -c apache-openmeetings-6.2.0-src.tar.gz.sha512
sha512sum: apache-openmeetings-6.2.0-src.tar.gz.sha512: no properly formatted
SHA512 checksum lines found
$ cat apache-openmeetings-6.2.0-src.tar.gz.sha512
dc93c6ea409a560c588babac09d0eea3008ce0c4656061c10b8a0b10ed6a832dea010a7855df8f238dfaf80fdf8b13f57966b7c169952ada8063baaa5f3779c9
$ sha512sum apache-openmeetings-6.2.0-src.tar.gz
7debb392b67eec85c6444dd64d0ca3ecc3753025a2bf96cac8224085caded9cfac016c0844f420a280676bdf366daecc01d1fd4377f42d8ad8e8025b42427f83
apache-openmeetings-6.2.0-src.tar.gz
$ gpg --verify apache-openmeetings-6.2.0-src.tar.gz.asc
apache-openmeetings-6.2.0-src.tar.gz
gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
$ sha512sum -c apache-openmeetings-6.2.0-src.zip.sha512
sha512sum: apache-openmeetings-6.2.0-src.zip.sha512: no properly formatted
SHA512 checksum lines found
$ cat apache-openmeetings-6.2.0-src.zip.sha512
86f1ee26f0edd3ee3c4de078380951e634e2c207b1e3653ea6f3b0c4569320effc8d195e7afb8353401a6e8cba6be3d6dcda58c4bfcffef41de7889d778098d5
$ gpg --verify apache-openmeetings-6.2.0-src.zip.asc
apache-openmeetings-6.2.0-src.zip
gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
{code}
I acquired the files and the public keys using the links on this page:
[https://openmeetings.apache.org/downloads.html]
Given that it shows the same behavior on all files I assume the issue is not on
my end.
Is this project still maintained?
If so, it would be fantastic if the signatures and checksums could be repaired.
If not, I suggest placing a notice on the download page.
Thanks for your great work with this software!
Best,
Georg
> Bad signatures and checksums
> ----------------------------
>
> Key: OPENMEETINGS-2720
> URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2720
> Project: Openmeetings
> Issue Type: Bug
> Components: Release
> Affects Versions: 6.2.0
> Reporter: Georg Pfuetzenreuter
> Assignee: Maxim Solodovnik
> Priority: Major
> Labels: newbie, security
>
> Hi,
> Hoping this has not already been discussed in a ticket my search query did
> not cover.
> I noticed all the SHA512 sums do not match the archive files, and the
> signatures all verify as BAD - besides the SHA512 files not being formatted
> properly:
>
> {code:java}
> ## TAR binary
> $ sha512sum -c apache-openmeetings-6.2.0.tar.gz
> sha512sum: apache-openmeetings-6.2.0.tar.gz: no properly formatted SHA512
> checksum lines found
> $ cat apache-openmeetings-6.2.0.tar.gz.sha512
> 37a42ce7b4ee954013c09820e6501f8996d357327cebeff1e8b125ba3dc74f86f961d2175c81ec7951ce30b255ec833f3118465b838aa543dac3b7a9f85452ca
>
>
> $ sha512sum apache-openmeetings-6.2.0.tar.gz
> 69373cf1bb1c2a7344a0e8554bccdb999dd360dda0c6fe653c0936a38c3e4a7c62c95a0a33734d0a88e01bf53930fd5d38efaadce42f88ce57dbb88572f82dda
> apache-openmeetings-6.2.0.tar.gz
> $ gpg --verify apache-openmeetings-6.2.0.tar.gz.asc
> apache-openmeetings-6.2.0.tar.gz
> gpg: Signature made Thu 21 Oct 2021 10:20:02 AM CEST
> gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> ## ZIP binary
> $ sha512sum -c apache-openmeetings-6.2.0.zip.sha512
> sha512sum: apache-openmeetings-6.2.0.zip.sha512: no properly formatted SHA512
> checksum lines found
> $ cat apache-openmeetings-6.2.0.zip.sha512
> 95271a35856ea2f80795f30a032f4677f2e5232dcf329ad727897ff48144a31fccfd320b250c4f9ce147c5b7c31f8d437fe487e29df9eb4e3181c36a3546d585
>
>
> $ sha512sum apache-openmeetings-6.2.0.zip
> 7270b3c006d2a1000caa1c1e4f1cc850c74631a821343b8433d81605d048907742b5ced76db02154cad0a215726335ebbb1fc55e741b9474c6d4a09eb51bf645
> apache-openmeetings-6.2.0.zip
> $ gpg --verify apache-openmeetings-6.2.0.zip.asc
> apache-openmeetings-6.2.0.zip
> gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
> gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> ## TAR SOURCE
> $ sha512sum -c apache-openmeetings-6.2.0-src.tar.gz.sha512
> sha512sum: apache-openmeetings-6.2.0-src.tar.gz.sha512: no properly formatted
> SHA512 checksum lines found
> $ cat apache-openmeetings-6.2.0-src.tar.gz.sha512
> dc93c6ea409a560c588babac09d0eea3008ce0c4656061c10b8a0b10ed6a832dea010a7855df8f238dfaf80fdf8b13f57966b7c169952ada8063baaa5f3779c9
> $ sha512sum apache-openmeetings-6.2.0-src.tar.gz
> 7debb392b67eec85c6444dd64d0ca3ecc3753025a2bf96cac8224085caded9cfac016c0844f420a280676bdf366daecc01d1fd4377f42d8ad8e8025b42427f83
> apache-openmeetings-6.2.0-src.tar.gz
> $ gpg --verify apache-openmeetings-6.2.0-src.tar.gz.asc
> apache-openmeetings-6.2.0-src.tar.gz
> gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
> gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> ##ZIP SOURCE
> $ sha512sum -c apache-openmeetings-6.2.0-src.zip.sha512
> sha512sum: apache-openmeetings-6.2.0-src.zip.sha512: no properly formatted
> SHA512 checksum lines found
> $ cat apache-openmeetings-6.2.0-src.zip.sha512
> 86f1ee26f0edd3ee3c4de078380951e634e2c207b1e3653ea6f3b0c4569320effc8d195e7afb8353401a6e8cba6be3d6dcda58c4bfcffef41de7889d778098d5
> $ gpg --verify apache-openmeetings-6.2.0-src.zip.asc
> apache-openmeetings-6.2.0-src.zip
> gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
> gpg: using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> {code}
> I acquired the files and the public keys using the links on this page:
> [https://openmeetings.apache.org/downloads.html]
> Given that it shows the same behavior on all files I assume the issue is not
> on my end.
> Is this project still maintained?
> If so, it would be fantastic if the signatures and checksums could be
> repaired.
> If not, I suggest placing a notice on the download page.
> Thanks for your great work with this software!
> Best,
> Georg
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
