6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

zeurkous
That doesn't seem right. Did you folks use the wrong key when signing
the file, or is there a particular reason to do it this way that me's
not aware of...?

        --zeur.

--
Friggin' Machines!

Reply | Threaded
Open this post in threaded view
|

Re: 6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

Stuart Henderson
On 2019-11-10, <[hidden email]> <[hidden email]> wrote:
> That doesn't seem right. Did you folks use the wrong key when signing
> the file, or is there a particular reason to do it this way that me's
> not aware of...?

Thanks for the report, yes i386 (and mips64) had the wrong key. I guess
not many people are doing fresh installs on these.

Re-signed packages should be available sometime soon, but there are no
changes to the package contents, there's no need to reinstall if you
already have them.


Reply | Threaded
Open this post in threaded view
|

Re: 6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

Theo de Raadt-2
In reply to this post by zeurkous
<[hidden email]> wrote:

> That doesn't seem right. Did you folks use the wrong key when signing
> the file, or is there a particular reason to do it this way that me's
> not aware of...?

These files have now been replaced.  Does it look right?

Reply | Threaded
Open this post in threaded view
|

Re: 6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

acampbell
In reply to this post by Stuart Henderson
On 10 Nov 2019, Stuart Henderson wrote:

> On 2019-11-10, <[hidden email]> <[hidden email]> wrote:
> > That doesn't seem right. Did you folks use the wrong key when signing
> > the file, or is there a particular reason to do it this way that me's
> > not aware of...?
>
> Thanks for the report, yes i386 (and mips64) had the wrong key. I guess
> not many people are doing fresh installs on these.
>
> Re-signed packages should be available sometime soon, but there are no
> changes to the package contents, there's no need to reinstall if you
> already have them.
>
>
>

I did a fresh install on a Thinkpad i386 a couple of weeks ago and
was very grateful to have it, so I hope it doesn't disappear any
time soon.

--
Anthony Campbell http://www.acampbell.uk

Reply | Threaded
Open this post in threaded view
|

RE: 6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

zeurkous
In reply to this post by Theo de Raadt-2
Morning,

theo wrote:
> <[hidden email]> wrote:
>
>> That doesn't seem right. Did you folks use the wrong key when signing
>> the file, or is there a particular reason to do it this way that me's
>> not aware of...?
>
> These files have now been replaced. Does it look right?

Me's afraid not: SHA256.sig is now rather short, ending at the hash of
aqsis-1.8.2p10.tgz (tried to fetch it from both ftp.eu and the CDN: same
result).

It's a bad week over here, too *sigh*.

           --zeur.

--
Friggin' Machines!

Reply | Threaded
Open this post in threaded view
|

FU: RE: 6.6/packages/i386/SHA256.sig to be verified with 'openbsd-65-pkg.pub'?

zeurkous
Evening,

mewrote:
> theo wrote:
>>
>> These files have now been replaced. Does it look right?
>
> Me's afraid not: SHA256.sig is now rather short, ending at the hash of
> aqsis-1.8.2p10.tgz (tried to fetch it from both ftp.eu and the CDN: same
> result).

...which now appears to have been fixed. Thanks!

        --zeurkous.

--
Friggin' Machines!