Thanks, Rick Moen (in the other short reply, where he suggested pasting somewhere, what? the trace?, probably not... But the hashes *are* there in my previous mail, and thanks to PGP they are verifiably exactly what I sent...)... But I'll see to the missing information. I'm now starting more serious work on this.
On 170423-17:24+0200, Miroslav Rovis wrote: > I already sent this message, but it's 110k altogether, and it's awaiting: > ... > Because I'm removing the network trace, which is 83k, and makes the > mail 110k (because of base64). The rest is the same as in previous email > which is awaiting moderation. > ... > ( $ wget \ > https://files.devuan.org/devuan_jessie_rc/installer-iso/devuan_jessie_1.0.0-RC_amd64_DVD.iso > ) Pls. see about these below in my previous email: > But let's get the possibility that the hash and sig files that I also > downloaded > from: > https://files.devuan.org/devuan_jessie_rc/installer-iso/ > > are to blame. In the mail the moderators let through there is (I'll post that email at: https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/ ### --> non-existent at the time of writing this <-- #### along with other stuff, more below on my plans) > The shortest is the network trace upon getting the BAD signature upon > verification, attached (minimal anonymization of just the MACs with done > on it as per my script dump_perl_repl.sh avalable at > https://github.com/miroR/uncenz ): > > dump_170423_1642_g0n.pcap And I'll post that now hours old trace above too (reading the network is such slow work...). > which is all in cleartext (no SSL), because I redownloaded > > wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS.asc > and > wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS > et cetera... What I reported is still the case (well it was half an hour or one hour ago when I started writing this very email that you're reading)... This is actual paste from terminal (I removed just what is before $): $ wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc --2017-04-23 21:02:35-- https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.asc Resolving files.devuan.org... 104.236.249.173 Connecting to files.devuan.org|104.236.249.173|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1513 (1.5K) [application/octet-stream] Saving to: ‘SHA256SUMS.asc’ SHA256SUMS.asc 100%[========================================>] 1.48K --.-KB/s in 0s 2017-04-23 21:02:35 (36.1 MB/s) - ‘SHA256SUMS.asc’ saved [1513/1513] $ wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS --2017-04-23 21:02:37-- https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS Resolving files.devuan.org... 104.236.249.173 Connecting to files.devuan.org|104.236.249.173|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 621 [application/octet-stream] Saving to: ‘SHA256SUMS’ SHA256SUMS 100%[========================================>] 621 --.-KB/s in 0s 2017-04-23 21:02:38 (9.67 MB/s) - ‘SHA256SUMS’ saved [621/621] $ gpg --verify SHA256SUMS.asc SHA256SUMS gpg: Signature made Sat 22 Apr 2017 09:44:23 CEST gpg: using RSA key 73B35DA54ACB7D10 gpg: BAD signature from "Denis Roio (Jaromil) <[email protected]>" [unknown] $ gpg --recv-key 73B35DA54ACB7D10 gpg: key 73B35DA54ACB7D10: "Denis Roio (Jaromil) <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ grep devuan_jessie_1.0.0-RC_amd64_DVD.iso SHA256SUMS f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso $ grep devuan_jessie_1.0.0-RC_amd64_DVD.iso SHA256SUMS > SHA256SUMS_CHECK $ cat SHA256SUMS_CHECK f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso $ sha256sum -c SHA256SUMS_CHECK devuan_jessie_1.0.0-RC_amd64_DVD.iso: OK $ I've got this trace: a82af49c5c65aeb83e5cc4b136c38041d44121d029b3b662f7315008d87f30ac dump_170423_2102_g0n.pcap f29ee5925bd400168b48cdcfef192be5d5d6ed9c90a80cde6c1a8591371be16d dump_170423_2102_g0n_SSLKEYLOGFILE.txt for the above event. I'll be working on this, whatever be the reason for the BAD sig on that hash, that it be trivial forgetfulness or that it be MiTM deployed, because it is exactly for reasons like this that I put together my: https://github.com/miroR/uncenz If I don't break, it should be on: https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/ (non-existent directory at the time of writing of this email, and it will be not just a little bit of work...) What are the reasons that I put together my uncenz? (Which, BTW it would be great if a real programmer made it something more generally useable, because my skills are too insufficient...) E.g. if anybody used my uncenz to record those events that are now undocumented, and I say they are undocumented because this: Why I don't want to have Pöttersoft on mysystem https://lists.dyne.org/lurker/message/20170417.151111.69a2f3e0.en.html is just a say-so, even though by respectable author, that's not verifiably reported event... But if somebody alerted me to record it with my uncenz, it would have been documented for posterity... (Granted also that I would have been available in time, which, sadly is just not always the case, I work terribly slow...) And if this PGP-signature failing is an attack or if it is a blunder, I really don't know. But I also don't want anybody to think that my claims are just mistakes of a user who is that badly incapable, I don't want that either... --- Pls., so I can try and start installing Devuan for real, can any of you developers in charge PGP-sign an answer to this question of mine with your PGP-key, so I can believe that I got genuine Devuan media? Pls. sign your answer to the following question: Is this media: devuan_jessie_1.0.0-RC_amd64_DVD.iso from: https://files.devuan.org/devuan_jessie_rc/ correct if its hash is: f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso ? Thank you! --- I'm also attaching the SHA256SUMS.asc SHA256SUMS from the new event futher above (and they are the same ones as in my previous email!, just this time gotten anew; however, they will be extractable from the trace once I post it at the already mentioned, at the time of writing inexistent url on CroatiaFidelis.hr), reported by the paste from my terminal, and also which network trace, and the effemeral SSL-keys hash like below: a82af49c5c65aeb83e5cc4b136c38041d44121d029b3b662f7315008d87f30ac dump_170423_2102_g0n.pcap f29ee5925bd400168b48cdcfef192be5d5d6ed9c90a80cde6c1a8591371be16d dump_170423_2102_g0n_SSLKEYLOGFILE.txt ( but of course, I'm not attaching those, they will be on: https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/ --at the time of writing inexistent-- if I don't break in the meantime, ermh... from mental stress ;-( ) Thanks again if any of you devs in charge confirm that the SHA256 sum that I downloaded is correct! And thanks for everybody's patience (of which more will likely be needed)... -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
39ac1f1cdd007e998a99b6ba083ee230df1178c2675dff06356afd8724829e8c devuan_jessie_1.0.0-RC_amd64_CD.iso f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837 devuan_jessie_1.0.0-RC_amd64_DVD.iso d418998acbae2a7c6a60430c6192e13da7c8ad14da4a63fafe3b08a79621914d devuan_jessie_1.0.0-RC_amd64_NETINST.iso 0e7b035065f8edb2382c33be399084db75310e24c8202f7eda0f6446d4cee243 devuan_jessie_1.0.0-RC_i386_CD.iso c8503f5196a2fc5663d277f2e4741fed17028011bbb4cd1fcb1dfc0751036eb1 devuan_jessie_1.0.0-RC_i386_DVD.iso ac8314c6289542f6dd988290a58f491c267aa7dfd0db98be4d974b70cef5dd4d devuan_jessie_1.0.0-RC_i386_NETINST.iso
SHA256SUMS.asc
Description: application/pgp-encrypted
signature.asc
Description: Digital signature
_______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
