[jira] [Commented] (OPENMEETINGS-2720) Bad signatures and checksums

[Sebastian Wagner (Jira)]

    [ 
https://issues.apache.org/jira/browse/OPENMEETINGS-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488591#comment-17488591
 ] 

Sebastian Wagner commented on OPENMEETINGS-2720:
------------------------------------------------

we fixed this. It has to do with the formatting of the file. There is some 
whitespace missing.

 

Please look at the output of the makign the checksum and the file content. The 
checksums are not literally made for the md5sum tool. There isn't really an 
agreed format for the md5 checksum file. 

But previous and later releases are fixing the checksum so that also md5sum 
tool will accept those files.

> Bad signatures and checksums
> ----------------------------
>
>                 Key: OPENMEETINGS-2720
>                 URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2720
>             Project: Openmeetings
>          Issue Type: Bug
>          Components: Release
>    Affects Versions: 6.2.0
>            Reporter: Georg Pfuetzenreuter
>            Assignee: Maxim Solodovnik
>            Priority: Major
>              Labels: newbie, security
>
> Hi,
> Hoping this has not already been discussed in a ticket my search query did 
> not cover.
> I noticed all the SHA512 sums do not match the archive files, and the 
> signatures all verify as BAD - besides the SHA512 files not being formatted 
> properly:
>  
> {code:java}
> ## TAR binary
> $ sha512sum -c apache-openmeetings-6.2.0.tar.gz               
> sha512sum: apache-openmeetings-6.2.0.tar.gz: no properly formatted SHA512 
> checksum lines found
> $ cat apache-openmeetings-6.2.0.tar.gz.sha512               
> 37a42ce7b4ee954013c09820e6501f8996d357327cebeff1e8b125ba3dc74f86f961d2175c81ec7951ce30b255ec833f3118465b838aa543dac3b7a9f85452ca
>                                                                               
>       
> $ sha512sum apache-openmeetings-6.2.0.tar.gz
> 69373cf1bb1c2a7344a0e8554bccdb999dd360dda0c6fe653c0936a38c3e4a7c62c95a0a33734d0a88e01bf53930fd5d38efaadce42f88ce57dbb88572f82dda
>   apache-openmeetings-6.2.0.tar.gz
> $ gpg --verify apache-openmeetings-6.2.0.tar.gz.asc 
> apache-openmeetings-6.2.0.tar.gz               
> gpg: Signature made Thu 21 Oct 2021 10:20:02 AM CEST
> gpg:                using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> ## ZIP binary
> $ sha512sum -c apache-openmeetings-6.2.0.zip.sha512               
> sha512sum: apache-openmeetings-6.2.0.zip.sha512: no properly formatted SHA512 
> checksum lines found
> $ cat apache-openmeetings-6.2.0.zip.sha512               
> 95271a35856ea2f80795f30a032f4677f2e5232dcf329ad727897ff48144a31fccfd320b250c4f9ce147c5b7c31f8d437fe487e29df9eb4e3181c36a3546d585
>                                                                               
>       
> $ sha512sum apache-openmeetings-6.2.0.zip
> 7270b3c006d2a1000caa1c1e4f1cc850c74631a821343b8433d81605d048907742b5ced76db02154cad0a215726335ebbb1fc55e741b9474c6d4a09eb51bf645
>   apache-openmeetings-6.2.0.zip
> $ gpg --verify apache-openmeetings-6.2.0.zip.asc 
> apache-openmeetings-6.2.0.zip               
> gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
> gpg:                using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> ## TAR SOURCE
> $ sha512sum -c apache-openmeetings-6.2.0-src.tar.gz.sha512               
> sha512sum: apache-openmeetings-6.2.0-src.tar.gz.sha512: no properly formatted 
> SHA512 checksum lines found
> $ cat apache-openmeetings-6.2.0-src.tar.gz.sha512               
> dc93c6ea409a560c588babac09d0eea3008ce0c4656061c10b8a0b10ed6a832dea010a7855df8f238dfaf80fdf8b13f57966b7c169952ada8063baaa5f3779c9
> $ sha512sum apache-openmeetings-6.2.0-src.tar.gz               
> 7debb392b67eec85c6444dd64d0ca3ecc3753025a2bf96cac8224085caded9cfac016c0844f420a280676bdf366daecc01d1fd4377f42d8ad8e8025b42427f83
>   apache-openmeetings-6.2.0-src.tar.gz
> $ gpg --verify apache-openmeetings-6.2.0-src.tar.gz.asc 
> apache-openmeetings-6.2.0-src.tar.gz               
> gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
> gpg:                using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> ##ZIP SOURCE
> $ sha512sum -c apache-openmeetings-6.2.0-src.zip.sha512               
> sha512sum: apache-openmeetings-6.2.0-src.zip.sha512: no properly formatted 
> SHA512 checksum lines found
> $ cat apache-openmeetings-6.2.0-src.zip.sha512               
> 86f1ee26f0edd3ee3c4de078380951e634e2c207b1e3653ea6f3b0c4569320effc8d195e7afb8353401a6e8cba6be3d6dcda58c4bfcffef41de7889d778098d5
> $ gpg --verify apache-openmeetings-6.2.0-src.zip.asc 
> apache-openmeetings-6.2.0-src.zip               
> gpg: Signature made Thu 21 Oct 2021 10:20:04 AM CEST
> gpg:                using RSA key BF13CF11F9C90CBE441309AB005516BF93A30395
> gpg: BAD signature from "Sebastian Wagner <sebawag...@apache.org>" [unknown]
> {code}
> I acquired the files and the public keys using the links on this page:
> [https://openmeetings.apache.org/downloads.html]
> Given that it shows the same behavior on all files I assume the issue is not 
> on my end.
> Is this project still maintained?
> If so, it would be fantastic if the signatures and checksums could be 
> repaired.
> If not, I suggest placing a notice on the download page.
> Thanks for your great work with this software!
> Best,
> Georg



--
This message was sent by Atlassian Jira
(v8.20.1#820001)