packages snapshots signed with wrong key

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

packages snapshots signed with wrong key

Sebastien Marie
Hi,

Short story: the latest package snapshost (i386) is signed with
55pkg.pub, but the @signer in +CONTENTS is 54pkg.

Long story:

I upgraded to (near) latest base system (OpenBSD bert.local 5.5 GENERIC.MP#217 i386).
And I tried to update my ports too, via packages.

My mirror is ftp://mirror.esc7.net/pub/OpenBSD/snapshots/packages/i386/
It should be same state as ftp.openbsd.org (having same SHA256 in directory).

# pkg_add -aui                                                                                                                        
pub fp: UQW0HmnVm5k=
sig fp: qMGXBLsGJhI=
signify: verification failed: checked against wrong key
system(/usr/bin/signify, -p, /etc/signify/54pkg.pub, -V, -m,
/tmp/pkgcontent.8ERtOK64G) failed: exit(1)
--- +quirks-1.106 -------------------
Bad signature
Fatal error: quirks-1.106 is corrupted
 at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 659.

To be sure about the error, I test the following:

# /usr/bin/signify -p /etc/signify/54pkg.pub -V -m /tmp/pkgcontent.8ERtOK64G
pub fp: UQW0HmnVm5k=
sig fp: qMGXBLsGJhI=
signify: verification failed: checked against wrong key

OK, the key 54pkg is not the signer.

# /usr/bin/signify -p /etc/signify/55pkg.pub -V -m /tmp/pkgcontent.8ERtOK64G
#

So no error with 55pkg.pub, so the 55pkg is the signer.

But in the package, the registered signer is 54pkg.

# head /tmp/pkgcontent.8ERtOK64G
@comment $OpenBSD: PLIST,v 1.2 2011/07/14 09:53:58 espie Exp $
@name quirks-1.106
@signer 54pkg
@digital-signature signify:2014-01-14T21:43:38Z
@option always-update
@comment pkgpath=devel/quirks cdrom=yes ftp=yes
@arch *
+DESC
@sha ZcShuBxD9cPsWmJce9rnoKKlC4qYQve7PwElfX/uk8Q=
@size 348

Thanks.
--
Sébastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

Jiri B-2
On Wed, Jan 15, 2014 at 01:38:30PM +0100, Sébastien Marie wrote:
> Hi,
>
> Short story: the latest package snapshost (i386) is signed with
> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.

Didn't you just forget to upgrade you base OS? 5.5 was tagged
couple of day ago.

jirib

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

Stuart Henderson-6
In reply to this post by Sebastien Marie
On 2014/01/15 13:38, Sébastien Marie wrote:
> Hi,
>
> Short story: the latest package snapshost (i386) is signed with
> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.

Thanks for the report - fixed packages will be available in a bit.


Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

Stuart Henderson-6
In reply to this post by Jiri B-2
On 2014/01/15 07:58, Jiri B wrote:

> On Wed, Jan 15, 2014 at 01:38:30PM +0100, Sébastien Marie wrote:
> > Hi,
> >
> > Short story: the latest package snapshost (i386) is signed with
> > 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
>
> Didn't you just forget to upgrade you base OS? 5.5 was tagged
> couple of day ago.
>
> jirib
>

No.


Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

413x
In reply to this post by Sebastien Marie
On 15.01.2014 13:38, Sébastien Marie wrote:
> Hi,
>
> Short story: the latest package snapshost (i386) is signed with
> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
>
> Long story:
>
> I upgraded to (near) latest base system (OpenBSD bert.local 5.5 GENERIC.MP#217 i386).
> And I tried to update my ports too, via packages.

Same problem here too :
OpenBSD alex.test 5.5 GENERIC.MP#8 amd64


>
> My mirror is ftp://mirror.esc7.net/pub/OpenBSD/snapshots/packages/i386/
> It should be same state as ftp.openbsd.org (having same SHA256 in directory).
>
> # pkg_add -aui                                                                                                                        
> pub fp: UQW0HmnVm5k=
> sig fp: qMGXBLsGJhI=
> signify: verification failed: checked against wrong key
> system(/usr/bin/signify, -p, /etc/signify/54pkg.pub, -V, -m,
> /tmp/pkgcontent.8ERtOK64G) failed: exit(1)
> --- +quirks-1.106 -------------------
> Bad signature
> Fatal error: quirks-1.106 is corrupted
>  at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 659.
>
> To be sure about the error, I test the following:
>
> # /usr/bin/signify -p /etc/signify/54pkg.pub -V -m /tmp/pkgcontent.8ERtOK64G
> pub fp: UQW0HmnVm5k=
> sig fp: qMGXBLsGJhI=
> signify: verification failed: checked against wrong key
>
> OK, the key 54pkg is not the signer.
>
> # /usr/bin/signify -p /etc/signify/55pkg.pub -V -m /tmp/pkgcontent.8ERtOK64G
> #
>
> So no error with 55pkg.pub, so the 55pkg is the signer.
>
> But in the package, the registered signer is 54pkg.
>
> # head /tmp/pkgcontent.8ERtOK64G
> @comment $OpenBSD: PLIST,v 1.2 2011/07/14 09:53:58 espie Exp $
> @name quirks-1.106
> @signer 54pkg
> @digital-signature signify:2014-01-14T21:43:38Z
> @option always-update
> @comment pkgpath=devel/quirks cdrom=yes ftp=yes
> @arch *
> +DESC
> @sha ZcShuBxD9cPsWmJce9rnoKKlC4qYQve7PwElfX/uk8Q=
> @size 348
>
> Thanks.

--
Alexis de BRUYN

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

Stuart Henderson-6
On 2014/01/15 15:15, Alexis de BRUYN wrote:

> On 15.01.2014 13:38, Sébastien Marie wrote:
> > Hi,
> >
> > Short story: the latest package snapshost (i386) is signed with
> > 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
> >
> > Long story:
> >
> > I upgraded to (near) latest base system (OpenBSD bert.local 5.5 GENERIC.MP#217 i386).
> > And I tried to update my ports too, via packages.
>
> Same problem here too :
> OpenBSD alex.test 5.5 GENERIC.MP#8 amd64

You can use "pkg_add -u -D nosig" for now. New packages are heading out
so this will fix itself later.


Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

413x
On 15.01.2014 15:33, Stuart Henderson wrote:

> On 2014/01/15 15:15, Alexis de BRUYN wrote:
>> On 15.01.2014 13:38, Sébastien Marie wrote:
>>> Hi,
>>>
>>> Short story: the latest package snapshost (i386) is signed with
>>> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
>>>
>>> Long story:
>>>
>>> I upgraded to (near) latest base system (OpenBSD bert.local 5.5 GENERIC.MP#217 i386).
>>> And I tried to update my ports too, via packages.
>>
>> Same problem here too :
>> OpenBSD alex.test 5.5 GENERIC.MP#8 amd64
>
> You can use "pkg_add -u -D nosig" for now. New packages are heading out
> so this will fix itself later.

Yes I have done that. Thanks.

--
Alexis de BRUYN

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

Christian Weisgerber
In reply to this post by 413x
Alexis de BRUYN <[hidden email]> wrote:

> > Short story: the latest package snapshost (i386) is signed with
> > 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
>
> Same problem here too :
> OpenBSD alex.test 5.5 GENERIC.MP#8 amd64

I fixed the amd64 packages last night (CET).  The mirrors should
be catching up.  Sorry about that.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

413x
On 15.01.2014 16:54, Christian Weisgerber wrote:

> Alexis de BRUYN <[hidden email]> wrote:
>
>>> Short story: the latest package snapshost (i386) is signed with
>>> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
>>
>> Same problem here too :
>> OpenBSD alex.test 5.5 GENERIC.MP#8 amd64
>
> I fixed the amd64 packages last night (CET).  The mirrors should
> be catching up.  Sorry about that.
>
This is working fine now. Thanks.

In my case, all .pub files were not installed in /etc/signify/ after I
updated my tree and rebuilt my kernel/userland, I had to copy them
manually from /usr/src/etc/signify/.

--
Alexis de BRUYN

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

Antoine Jacoutot-7
On Thu, Jan 16, 2014 at 10:07:12AM +0100, Alexis de BRUYN wrote:

> On 15.01.2014 16:54, Christian Weisgerber wrote:
> > Alexis de BRUYN <[hidden email]> wrote:
> >
> >>> Short story: the latest package snapshost (i386) is signed with
> >>> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
> >>
> >> Same problem here too :
> >> OpenBSD alex.test 5.5 GENERIC.MP#8 amd64
> >
> > I fixed the amd64 packages last night (CET).  The mirrors should
> > be catching up.  Sorry about that.
> >
> This is working fine now. Thanks.
>
> In my case, all .pub files were not installed in /etc/signify/ after I
> updated my tree and rebuilt my kernel/userland, I had to copy them
> manually from /usr/src/etc/signify/.

That is what sysmerge(8) is for, did you run it?

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: packages snapshots signed with wrong key

413x
On 16.01.2014 10:15, Antoine Jacoutot wrote:

> On Thu, Jan 16, 2014 at 10:07:12AM +0100, Alexis de BRUYN wrote:
>> On 15.01.2014 16:54, Christian Weisgerber wrote:
>>> Alexis de BRUYN <[hidden email]> wrote:
>>>
>>>>> Short story: the latest package snapshost (i386) is signed with
>>>>> 55pkg.pub, but the @signer in +CONTENTS is 54pkg.
>>>>
>>>> Same problem here too :
>>>> OpenBSD alex.test 5.5 GENERIC.MP#8 amd64
>>>
>>> I fixed the amd64 packages last night (CET).  The mirrors should
>>> be catching up.  Sorry about that.
>>>
>> This is working fine now. Thanks.
>>
>> In my case, all .pub files were not installed in /etc/signify/ after I
>> updated my tree and rebuilt my kernel/userland, I had to copy them
>> manually from /usr/src/etc/signify/.
>
> That is what sysmerge(8) is for, did you run it?
>
No I forgot this time. Problem solved.
Sorry for the noise and Thank you Antoine.

--
Alexis de BRUYN