Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Matthias Andree]

Am 21.06.2017 um 18:53 schrieb Илья Шипицин:
>
>
> 2017-06-21 21:48 GMT+05:00 Matthias Andree  >:
>
> Am 21.06.2017 um 16:33 schrieb Samuli Seppänen:
> > On 21/06/2017 17:06, Simon Matter wrote:
> >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen
> >
> >>> wrote:
>  The OpenVPN community project team is proud to release
> OpenVPN 2.4.3. It
>  can be downloaded from here:
> 
>   >
> >>> Hi. Thanks for this release.
> >>>
> >>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so
> did 2.4.2
> >>> a few weeks ago), but trying to verify the signature on
> 2.4.3.tar.gz
> >>> fails with:
> >> I wanted to ask this during the 2.4.2 hickup but now I really
> ask because
> >> there is confusion again with 2.4.3:
> >>
> >> Could you please add check sums of all release files so that
> one can
> >> easily check to have the correct download. Even MD5 works
> better no check
> >> sum :-)
> >>
> >> Regards,
> >> Simon
> >>
> > Makes sense. I'll see if I could tackle that tomorrow.
> >
> > Meanwhile I added a test script which downloads every release
> file and
> > verifies their signatures. I will run this script as part of the
> release
> > process.
>
> It makes no sense at all. Don't start that!
>
>
> can we just calm down a bit ?
> what makes sense is to test a "release process" sometime between
> actual releases. make some fake release maybe ?

Uh, I just figured with hindsight that I was responding to and quoting
the wrong message.

What I meant is that it's useless to add MD5 or other checksums (from
broken hashes, to add insult to injury),
not avoiding a script that verifies the release files signatures (GnuPG
I presume).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

Hi,

> So just trying to hijack this discussion which is to be found a few more
> places elsewhere in this mail thread.  No need to let this discussion
> run longer.
> 
> There are several area where we definitely can improve the release
> process.  Last round where we managed to mess up the 2.3.15 release, so
> I wrote a brand new "prepare release tarballs" script, which also
> handles the signing.  This script _was_ used to produce the files to be
> pushed out for the 2.4.3/2.3.17 releases.
> 
> But for reasons unknown to me, those tarballs got re-created somewhere
> later in the release chain.  The contents of all tarballs are

The tarballs were created by my release script which is available on our
internal Bitbucket. I always try to be very careful in what I upload,
but some mistakes seem unavoidable due to the really complex nature of
the release process.

My release script predates the script you wrote for OpenVPN 2.4.2
release. My script operates on the assumption that a fully up-to-date
Git repository with release tags and everything is available. This has
generally been the case, as we've usually updated Git first and _then_
started the release machinery.

For me it would be easiest if I could handle the entire release process
starting from an fully up-to-date Git repository. That would allow my
script(s) to automatically handle most technical parts of the release:

- Produce the tarballs
- Sign them with the secur...@openvpn.net key
- Verify the signatures
- Generate changelogs for Trac and Debian packages
- Generate a man-page suitable for copy-and-pasting in Trac
- Generate a CloudFlare flush file
  - Copy-and-paste to CloudFlare to flush caches for all the files;
this is a routine release procedure nowadays
- Push everything to the download servers
- Download everything from the download servers _and_ verify the signatures

All of this is already handled and works well enough. I _can_ use
tarballs as the source, but I also need a Git repo to get Git logs, so
the tarballs are a bit redundant.

> essentially the same, but due to the "nice" artefact that the tar format
> is non-deterministic on the output, even though the input is the same,
> that begins to prepare the stage for this chaos.  Especially when what
> is being uploaded is partly from the initial run and then some files
> from a different run.
> 
> All that is history now.  Now we need to look forward.  Many good points
> have been raised.
> 
> - Do we need .tar.gz and .zip files?  Where and why?
>   The fewer source tarballs we need to handle, the less chance for
>   errors

I would love if we could drop everything except tar.xz. This way the
amount of files and signatures on the download page would drop
significantly. I think it would be reasonable to expect that people who
need OpenVPN _sources_ on Windows are able to extract tar.xz, especially
if we document how it can be done.

> 
> - Improve Makefile.am to not generate dist-gz files when running
>   distcheck.  The distcheck run often provides very good indicator if we
>   have packaged all the needed files in the source tarball.  If this
>   doesn't pass, something is really wrong.
> 
> - Do we really need to re-create the source tarballs which the new
>   ./dev-tools/gen-release-tarballs.sh?  Why?

No. But another question is whether we need gen-release-tarballs.sh
which implements a limited subset of the release script I had written
earlier? The gen-release-tarballs.sh came as a surprise to me -
otherwise I would told you that what it does is already covered.

Before answering the question, though, we should figure out our overall
release strategy.

> 
> - What can be done with Cloudflare to fully ensure their caches are
>   truly purged when we ask for it?  As Jonathan noticed, their caches
>   are tightly connected to the web browser and have a non-deterministic
>   behaviour across browsers, even on the same computer.
> 

As mentioned above, I've routinely purge CloudFlare caches for all
release files on every release for a long time. Initially this was
because CloudFlare cached 404's for some people. Occasionally issues
arose when a wrong version of a file ended up on the download server.

Regardless of all these precautions we still get some CloudFlare-related
complaints on every release.

> - What else in the release process can be automated and put into a
>   script?  This to ensure consistency between all releases we do.

The following things rob a surprising amount of time from me during a
release:

1. Producing release announcement in three different formats:
   - Download page
   - Forums
   - Mailing list
2. Playing with various Git repos
   - easy-rsa-old, openvpn-build, openvpn-gui, openvpnserv2
   - For each of them in one or more branches
 - Pushing to my fork
 - Pushing version changes and tags to upstream repo
   - Must ensure that what is pushed is the bare minimum
3. Building and testing Debian packages
4) Building and testing Windows 

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jeremie Courreges-Anglas]

Hi,

Emmanuel Deloget  writes:

> Hi David,
>
> On Wed, Jun 21, 2017 at 11:06 PM, David Sommerseth <
> open...@sf.lists.topphemmelig.net> wrote:
>
> ​​
>
>
>> But for reasons unknown to me, those tarballs got re-created somewhere
>> later in the release chain.  The contents of all tarballs are
>> essentially the same, but due to the "nice" artefact that the tar format
>> is non-deterministic on the output, even though the input is the same,
>> that begins to prepare the stage for this chaos.  Especially when what
>> is being uploaded is partly from the initial run and then some files
>> from a different run
>> ​.
>>
>
> ​It might be possible to pay with several tar options, including:
>
> --sort=name : sort added files by name, and not by the order specified by
> the OS
> --mtime=DATE-OR-FILE : set mtime of added file to a known value (either the
> mtime of a file or an arbitrary date/time string).  ​
>
> ​These two options should help​

--sort and --mtime seem like GNU tar options.

It would be cool if whatever is used to produce the tarballs was
portable to systems where the default tar program is not GNU tar.
If those tar options end up being used, then it would make sense to add
a knob to specify the the GNU tar program used to build the tarballs.

> ​Both options are being used by the LEDE project​ which claim support of
> reproducible builds for a limited list of targets (tar is used when
> building packages [1]).
>
> ​[1]
> https://git.lede-project.org/?p=source.git;a=blob;f=scripts/ipkg-build#l142​

Since OpenVPN uses automake, I'll just mention that the automake folks
also discussed reproducible tarballs:

  https://lists.gnu.org/archive/html/automake/2015-12/msg00012.html

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[James Bekkema]

> On 22 Jun 2017, at 7:06 am, David Sommerseth 
>  wrote:
> 
> - What can be done with Cloudflare to fully ensure their caches are
>  truly purged when we ask for it?  As Jonathan noticed, their caches
>  are tightly connected to the web browser and have a non-deterministic
>  behaviour across browsers, even on the same computer.

Cloudflare’s API supports clearing the cache (as does their web control panel), 
and this can be done on a file-by-file basis. Based on our experience it only 
takes around 15-20 seconds for the cache to be cleared on all of Cloudflare's 
CDN nodes for a file and it can be easily thrown into a release script.
https://api.cloudflare.com/#zone-purge-individual-files-by-url-and-cache-tags

As for some web browsers, proxy servers, etc. in-between the user and a 
Cloudflare node, they’re respecting the HTTP cache-control headers which are 
currently set to cache for 24 hours:

curl -I https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
Expires: Fri, 23 Jun 2017 00:14:19 GMT
Cache-Control: public, max-age=86400

Of course, many proxy servers and web browsers have different approaches to 
handling caching headers (especially for zipped files), so you will get some 
differing behaviour. The best approach is to still have an appropriate caching 
time between nodes and the web server (24 hours is fine) so they don’t need to 
re-fetch the files too often, but then have a Cloudflare Page Rule to rewrite 
these with a lower time to clients (we use 4 hours) to limit the impact in the 
(hopefully rare) event of a file update being needed.
https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-Page-Rules-#cache

The final cause of differing behaviour is that each Cloudflare node’s caching 
time of a file starts when that individual node first gets a request for it. 
But this can easily be ignored by just using the API to clear the cache of all 
nodes when needed.

> So I suggest we take a few weeks holiday, let this sink in, and then we
> can schedule a meeting some time in August where we discuss these
> issues.


Sorry to throw more noise at the mailing list, but I figured I’d put up some 
comments as IRC meeting times don’t usually align for those of us in Australia 
:-)

Regards,
James

--
James Bekkema
SparkLabs Developer
https://www.sparklabs.com
https://twitter.com/sparklabs
supp...@sparklabs.com
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Emmanuel Deloget]

Hi David,

On Wed, Jun 21, 2017 at 11:06 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

​​


> But for reasons unknown to me, those tarballs got re-created somewhere
> later in the release chain.  The contents of all tarballs are
> essentially the same, but due to the "nice" artefact that the tar format
> is non-deterministic on the output, even though the input is the same,
> that begins to prepare the stage for this chaos.  Especially when what
> is being uploaded is partly from the initial run and then some files
> from a different run
> ​.
>

​It might be possible to pay with several tar options, including:

--sort=name : sort added files by name, and not by the order specified by
the OS
--mtime=DATE-OR-FILE : set mtime of added file to a known value (either the
mtime of a file or an arbitrary date/time string).  ​

​These two options should help​

​Both options are being used by the LEDE project​ which claim support of
reproducible builds for a limited list of targets (tar is used when
building packages [1]).

​[1]
https://git.lede-project.org/?p=source.git;a=blob;f=scripts/ipkg-build#l142​



> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
​BR,

-- Emmanuel Deloget​
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 12:47, Samuli Seppänen wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
> 
> 
> 
> OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
> the process several vulnerabilities were found, some of which are
> remotely exploitable in certain circumstances. We recommend you to
> upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are
> available in our official security announcement:
> 
> 
> 
> In addition a number of bugs with no security impact have been fixed.
> The one big feature in the 2.4.3 release is support for building with
> OpenSSL 1.1.
> 
> A summary of all included changes is available here:
> 
> 
So just trying to hijack this discussion which is to be found a few more
places elsewhere in this mail thread.  No need to let this discussion
run longer.

There are several area where we definitely can improve the release
process.  Last round where we managed to mess up the 2.3.15 release, so
I wrote a brand new "prepare release tarballs" script, which also
handles the signing.  This script _was_ used to produce the files to be
pushed out for the 2.4.3/2.3.17 releases.

But for reasons unknown to me, those tarballs got re-created somewhere
later in the release chain.  The contents of all tarballs are
essentially the same, but due to the "nice" artefact that the tar format
is non-deterministic on the output, even though the input is the same,
that begins to prepare the stage for this chaos.  Especially when what
is being uploaded is partly from the initial run and then some files
from a different run.

All that is history now.  Now we need to look forward.  Many good points
have been raised.

- Do we need .tar.gz and .zip files?  Where and why?
  The fewer source tarballs we need to handle, the less chance for
  errors

- Improve Makefile.am to not generate dist-gz files when running
  distcheck.  The distcheck run often provides very good indicator if we
  have packaged all the needed files in the source tarball.  If this
  doesn't pass, something is really wrong.

- Do we really need to re-create the source tarballs which the new
  ./dev-tools/gen-release-tarballs.sh?  Why?

- What can be done with Cloudflare to fully ensure their caches are
  truly purged when we ask for it?  As Jonathan noticed, their caches
  are tightly connected to the web browser and have a non-deterministic
  behaviour across browsers, even on the same computer.

- What else in the release process can be automated and put into a
  script?  This to ensure consistency between all releases we do.

- We need to write down a proper check-list of all the steps needed
  for a release, including putting a clear responsibility for each
  release.  This list must also mention which scripts to be run.  Again,
  automation is key to reduce the risk for errors.

- Consider how many who really needs to be involved in producing a
  release.  More chefs in a kitchen can result in great food, but it can
  also end up quite messy.

- At the same time, ensure we don't end up in a "single point of
  failure".  More of us core developers need to be able to step in for
  others, and still be able to produce a release without errors.  This
  can be the end result if we have proper scripts, both for automated
  and manual tasks.


My intention with these points are primarily "food for thought".  I
don't fully believe it will be easy to have a well structured debate
about the complete release process in a mailing list thread.

So I suggest we take a few weeks holiday, let this sink in, and then we
can schedule a meeting some time in August where we discuss these
issues.  And lets hope we don't need to rush yet another release before
August :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 12:48 PM, Matthias Andree
 wrote:
>
> Am 21.06.2017 um 16:33 schrieb Samuli Seppänen:
> > On 21/06/2017 17:06, Simon Matter wrote:
> >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
> >>> wrote:
>  The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>  can be downloaded from here:
> 
>  
> >>> Hi. Thanks for this release.
> >>>
> >>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> >>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> >>> fails with:
> >> I wanted to ask this during the 2.4.2 hickup but now I really ask because
> >> there is confusion again with 2.4.3:
> >>
> >> Could you please add check sums of all release files so that one can
> >> easily check to have the correct download. Even MD5 works better no check
> >> sum :-)
> >>
> >> Regards,
> >> Simon
> >>
> > Makes sense. I'll see if I could tackle that tomorrow.
> >
> > Meanwhile I added a test script which downloads every release file and
> > verifies their signatures. I will run this script as part of the release
> > process.
>
> It makes no sense at all. Don't start that!
>

I disagree. Having the checksums would have saved me a lot of time
today because I would have immediately known which file was corrupt --
the binary or the signature file -- without bothering the list. It
might help rule out Cloudflare as a suspected cause of the problem.


> You already provide detached GnuPG signatures, which are better suited
> for most purposes and incidentally also cover the "checksum" purpose.

Yes, "most purposes", but not "all purposes".

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 7:48 AM, Jonathan K. Bullard 
wrote:

> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
> wrote:
> > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> > can be downloaded from here:
> >
> > 
>
> Hi. Thanks for this release.
>
> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> fails with:


I downloaded 2.4.3.tar.gz and 2.4.3.tar.gz.asc several times in the past
few hours and always got a bad copy of 2.4.3.tar.gz. Then I restarted my
computer and downloaded again: same thing. Then I downloaded with Safari
(instead of Chrome, which I had been using) -- and the downloaded
2.4.3.tar.gz was different and its signature verifies properly (the
2.4.3.tar.gz.asc was identical in all cases). So I went back to Chrome and
downloaded again -- bad copy. Firefox: good copy. Then Chrome again: good
copy.

So all seems OK now, but something is or was flakey with my computer,
Chrome, Cloudflare, my ISP… (or some combination).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Matthias Andree]

Am 21.06.2017 um 18:02 schrieb Gert Doering:
> Hi,
>
> On Wed, Jun 21, 2017 at 05:58:18PM +0200, David Sommerseth wrote:
>> Hmmm ... not a bad idea.  But do we really need tar.gz at all these
>> days?  Why not just make autotools generate tar.xz by default and be
>> done with it?
> "distcheck" tends to just do .tar.gz - can you make it still do the check,
> but produce .tar.gz?

yes, in Makefile.am:
AUTOMAKE_OPTIONS= ...(whatever)... no-dist-gzip



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Matthias Andree]

Am 21.06.2017 um 16:33 schrieb Samuli Seppänen:
> On 21/06/2017 17:06, Simon Matter wrote:
>>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>>> wrote:
 The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
 can be downloaded from here:

 
>>> Hi. Thanks for this release.
>>>
>>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>>> fails with:
>> I wanted to ask this during the 2.4.2 hickup but now I really ask because
>> there is confusion again with 2.4.3:
>>
>> Could you please add check sums of all release files so that one can
>> easily check to have the correct download. Even MD5 works better no check
>> sum :-)
>>
>> Regards,
>> Simon
>>
> Makes sense. I'll see if I could tackle that tomorrow.
>
> Meanwhile I added a test script which downloads every release file and
> verifies their signatures. I will run this script as part of the release
> process.

It makes no sense at all. Don't start that!

You already provide detached GnuPG signatures, which are better suited
for most purposes and incidentally also cover the "checksum" purpose.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Gert Doering]

Hi,

On Wed, Jun 21, 2017 at 05:58:18PM +0200, David Sommerseth wrote:
> Hmmm ... not a bad idea.  But do we really need tar.gz at all these
> days?  Why not just make autotools generate tar.xz by default and be
> done with it?

"distcheck" tends to just do .tar.gz - can you make it still do the check,
but produce .tar.gz?

> Or to put it differently: Which platforms lacks lzma/xz support these days?

plus "what platform needs .zip", as in "seriously, so often that the 3
persons unpacking OpenVPN source builds on Windows will not have 7zip
installed anyway"?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 17:49, Gert Doering wrote:
> Hi,
> 
> On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote:
>>> .gz is built with "make distcheck", .xz right after from the same
>>> tree with "make dist-xz".
>>>
>>> What differs?
>>
>> The check sum of both extracted tarballs, not really their content.
> 
> Ah.  Yeah, that's one of the drawbacks of building two independent
> tarballs - timestamps in the tar header (IIRC), so the end result always
> differs in a few bytes.
> 
>> I suggest to create .xz from .gz instead of building another tarball. That
>> way the extracted tarballs from .gz and .xz share the same checksum ->
>> less confusion in case something goes wrong - as it did with 2.4.2 and
>> now.
> 
> David, you're listening?  Should be an easy-enough change from what 
> we have now... ("gunzip <...tar.gz | xz >...tar.xz" or however you
> do xz balls) :-)

Hmmm ... not a bad idea.  But do we really need tar.gz at all these
days?  Why not just make autotools generate tar.xz by default and be
done with it?

Or to put it differently: Which platforms lacks lzma/xz support these days?


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Gert Doering]

Hi,

On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote:
> > .gz is built with "make distcheck", .xz right after from the same
> > tree with "make dist-xz".
> >
> > What differs?
> 
> The check sum of both extracted tarballs, not really their content.

Ah.  Yeah, that's one of the drawbacks of building two independent
tarballs - timestamps in the tar header (IIRC), so the end result always
differs in a few bytes.

> I suggest to create .xz from .gz instead of building another tarball. That
> way the extracted tarballs from .gz and .xz share the same checksum ->
> less confusion in case something goes wrong - as it did with 2.4.2 and
> now.

David, you're listening?  Should be an easy-enough change from what 
we have now... ("gunzip <...tar.gz | xz >...tar.xz" or however you
do xz balls) :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

> Hi,
>
> On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote:
>> An additional source of confusion seems that the tarball of the .gz and
>> .xz files don't match. Maybe this could easily be fixed in the build
>> process.
>
> .gz is built with "make distcheck", .xz right after from the same
> tree with "make dist-xz".
>
> What differs?

The check sum of both extracted tarballs, not really their content.

I suggest to create .xz from .gz instead of building another tarball. That
way the extracted tarballs from .gz and .xz share the same checksum ->
less confusion in case something goes wrong - as it did with 2.4.2 and
now.

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Gert Doering]

Hi,

On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote:
> An additional source of confusion seems that the tarball of the .gz and
> .xz files don't match. Maybe this could easily be fixed in the build
> process.

.gz is built with "make distcheck", .xz right after from the same
tree with "make dist-xz".

What differs?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

>>> I believe it is Cloudflare playing tricks on us again.
>>>
>>> Attached are the proper signature files and below a list of the SHA256
>>> checksums:
>>>
>>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
>>> openvpn-2.4.3.tar.xz
>>>
>>> This is based on the files I've already pushed to the Fedora builder
>>> (koji), which
>>
>> I have the following sums:
>>
>> 15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb
>> openvpn-2.4.3.tar.xz
>>
>
> Those sha256sums are the correct ones.

That's the problem, which one is the correct one for openvpn-2.4.3.tar.xz?

7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571

or

15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

On 21/06/2017 17:42, Simon Matter wrote:
>> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>>> wrote:
 The OpenVPN community project team is proud to release OpenVPN 2.4.3.
 It
 can be downloaded from here:

 
>>>
>>> Hi. Thanks for this release.
>>>
>>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>>> fails with:
>>>
>>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>>> 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: BAD signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>>
>>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>>
>>> The files were downloaded from
>>> https://openvpn.net/index.php/open-source/downloads.html at about
>>> 10:24 UCT today from the New York City area.
>>>
>>> For reference, here is the output from verifying 2.3.17:
>>>
>>> $ gpg2 -v --verify
>>> /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in
>>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>>> 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: Good signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:  There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B
>>> 01E7
>>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2
>>> B034
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> Any ideas or suggestions?
>>
>> I believe it is Cloudflare playing tricks on us again.
>>
>> Attached are the proper signature files and below a list of the SHA256
>> checksums:
>>
>> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3
>> openvpn-2.3.17.tar.xz
>> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29
>> openvpn-2.3.17.tar.xz.asc
>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
>> openvpn-2.4.3.tar.xz
>> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210
>> openvpn-2.4.3.tar.xz.asc
>>
>> This is based on the files I've already pushed to the Fedora builder
>> (koji), which
> 
> I have the following sums:
> 
> af806c47623aa1d8246cf0790984766f61c8d0a63ea0b04127ff5c6c65e46088 
> openvpn-2.3.17.tar.gz
> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 
> openvpn-2.3.17.tar.xz
> cee3d3ca462960a50a67c0ebd186e01b6d13db70275205663695152c9aca8579 
> openvpn-2.4.3.tar.gz
> 15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb 
> openvpn-2.4.3.tar.xz
> 
> So 2.3.17 seems fine but what about 2.4.3? What is the real final check
> sum for openvpn-2.4.3.tar.gz and openvpn-2.4.3.tar.xz?
> 
> Thanks,
> Simon
> 

Those sha256sums are the correct ones.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>> wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3.
>>> It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
>>
>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>> 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: BAD signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>
>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>
>> The files were downloaded from
>> https://openvpn.net/index.php/open-source/downloads.html at about
>> 10:24 UCT today from the New York City area.
>>
>> For reference, here is the output from verifying 2.3.17:
>>
>> $ gpg2 -v --verify
>> /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in
>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key
>> 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: Good signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:  There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B
>> 01E7
>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2
>> B034
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> Any ideas or suggestions?
>
> I believe it is Cloudflare playing tricks on us again.
>
> Attached are the proper signature files and below a list of the SHA256
> checksums:
>
> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3
> openvpn-2.3.17.tar.xz
> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29
> openvpn-2.3.17.tar.xz.asc
> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
> openvpn-2.4.3.tar.xz
> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210
> openvpn-2.4.3.tar.xz.asc
>
> This is based on the files I've already pushed to the Fedora builder
> (koji), which

I have the following sums:

af806c47623aa1d8246cf0790984766f61c8d0a63ea0b04127ff5c6c65e46088 
openvpn-2.3.17.tar.gz
d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 
openvpn-2.3.17.tar.xz
cee3d3ca462960a50a67c0ebd186e01b6d13db70275205663695152c9aca8579 
openvpn-2.4.3.tar.gz
15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb 
openvpn-2.4.3.tar.xz

So 2.3.17 seems fine but what about 2.4.3? What is the real final check
sum for openvpn-2.4.3.tar.gz and openvpn-2.4.3.tar.xz?

Thanks,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

On 21/06/2017 17:06, Simon Matter wrote:
>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>> wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
> 
> I wanted to ask this during the 2.4.2 hickup but now I really ask because
> there is confusion again with 2.4.3:
> 
> Could you please add check sums of all release files so that one can
> easily check to have the correct download. Even MD5 works better no check
> sum :-)
> 
> Regards,
> Simon
> 

Makes sense. I'll see if I could tackle that tomorrow.

Meanwhile I added a test script which downloads every release file and
verifies their signatures. I will run this script as part of the release
process.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
>> wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3.
>>> It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
>
> I wanted to ask this during the 2.4.2 hickup but now I really ask because
> there is confusion again with 2.4.3:
>
> Could you please add check sums of all release files so that one can
> easily check to have the correct download. Even MD5 works better no check
> sum :-)

An additional source of confusion seems that the tarball of the .gz and
.xz files don't match. Maybe this could easily be fixed in the build
process.

Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Simon Matter]

> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen 
> wrote:
>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>> can be downloaded from here:
>>
>> 
>
> Hi. Thanks for this release.
>
> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> fails with:

I wanted to ask this during the 2.4.2 hickup but now I really ask because
there is confusion again with 2.4.3:

Could you please add check sums of all release files so that one can
easily check to have the correct download. Even MD5 works better no check
sum :-)

Regards,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 13:48, Jonathan K. Bullard wrote:
> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>> can be downloaded from here:
>>
>> 
> 
> Hi. Thanks for this release.
> 
> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
> fails with:
> 
> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
> 
> gpg: armor header: Version: GnuPG v1
> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
> gpg:using RSA key D72AF3448CC2B034
> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
> gpg: using pgp trust model
> gpg: BAD signature from "OpenVPN - Security Mailing List
> " [unknown]
> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
> 
> The SHA256 ofopenvpn-2.4.3.tar.gz is
>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
> 
> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
> 
> The files were downloaded from
> https://openvpn.net/index.php/open-source/downloads.html at about
> 10:24 UCT today from the New York City area.
> 
> For reference, here is the output from verifying 2.3.17:
> 
> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
> 
> gpg: armor header: Version: GnuPG v1
> gpg: assuming signed data in
> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
> gpg:using RSA key D72AF3448CC2B034
> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
> gpg: using pgp trust model
> gpg: Good signature from "OpenVPN - Security Mailing List
> " [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
> 
> Any ideas or suggestions?

I believe it is Cloudflare playing tricks on us again.

Attached are the proper signature files and below a list of the SHA256 
checksums:

d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
openvpn-2.3.17.tar.xz
b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
openvpn-2.3.17.tar.xz.asc
7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
openvpn-2.4.3.tar.xz
9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
openvpn-2.4.3.tar.xz.asc

This is based on the files I've already pushed to the Fedora builder (koji), 
which
I downloaded soon after the swupdates.openvpn.net server was updated.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc



openvpn-2.3.17.tar.xz.asc
Description: application/pgp-encrypted


openvpn-2.4.2.tar.xz.asc
Description: application/pgp-encrypted


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
>
> 

Hi. Thanks for this release.

Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
fails with:

$ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc

gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
gpg:using RSA key D72AF3448CC2B034
gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
gpg: using pgp trust model
gpg: BAD signature from "OpenVPN - Security Mailing List
" [unknown]
gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

The SHA256 ofopenvpn-2.4.3.tar.gz is
 84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b

The SHA256 of openvpn-2.4.3.tar.gz.asc is
 695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437

The files were downloaded from
https://openvpn.net/index.php/open-source/downloads.html at about
10:24 UCT today from the New York City area.

For reference, here is the output from verifying 2.3.17:

$ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc

gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in
'/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
gpg:using RSA key D72AF3448CC2B034
gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
gpg: using pgp trust model
gpg: Good signature from "OpenVPN - Security Mailing List
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
 Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

Any ideas or suggestions?

Thanks,

Jon Bullard

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel