FS#54544 - [openvpn] sha256 hash

Attached to Project: Arch Linux
Opened by Nicola (drakkan) - Thursday, 22 June 2017, 18:19 GMT
Last edited by Christian Hesse (eworm) - Saturday, 24 June 2017, 12:42 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

if you download openvpn 2.4.3 now you have this sha256sum

sha256sum openvpn-2.4.3.tar.xz
15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb openvpn-2.4.3.tar.xz


this is different from the one in PKGBUILD:

https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/openvpn#n19

seems a problem with the openvpn relase process, please read more details on openvpn devel list, the right sha256sum should be the actual one and not the one in PKGBUILD, but it is not completly clear
This task depends upon

Closed by  Christian Hesse (eworm)
Saturday, 24 June 2017, 12:42 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in svn
Comment by David McAdoo (geecroof) - Thursday, 22 June 2017, 18:28 GMT
Actually it's the opposite, shasum in PKGBUILD is correct and your is is wrong. See
https://sourceforge.net/p/openvpn/mailman/message/35907209/ and
https://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17
for additional info. Also keep in mind that you have to get correct asc file which you can find in the wikipage above.
Comment by Doug Newgard (Scimmia) - Thursday, 22 June 2017, 20:09 GMT
makepkg -od doesn't work, so there is a bug here somewhere.
Comment by Doug Newgard (Scimmia) - Thursday, 22 June 2017, 20:23 GMT
Package may be built from correct source, but PKGBUILD does not build as written. That's a bug.
Comment by David McAdoo (geecroof) - Thursday, 22 June 2017, 21:36 GMT
Upstream packaged tarball and signed it then repackaged and resigned.

In result we have two different pairs of tarballs and signatures which match independently but not when you mix them.

Due to cloudflare caching you can get tarball A with signature B or tarball B with signature A and that's why makepkg fails either on hash check or gpg verify.

Correct sha256 sums and signatures are in the wikipage I posted above.
Comment by Christian Hesse (eworm) - Thursday, 22 June 2017, 21:45 GMT
Damn shit!

(Well, I received the correct files from download servers, so I closed this too early. Sorry for that!)

The wiki page has checksums for tarballs and signatures and gives download links for the tarballs. Is there a reliable source for the signature?
Comment by David McAdoo (geecroof) - Thursday, 22 June 2017, 21:53 GMT
You have signatures on that wikipage above at bottom as attachments. However I don't know if they stay permanently there maybe it's better to wait for cloudflare to catchup.
Comment by Christian Hesse (eworm) - Thursday, 22 June 2017, 21:56 GMT
There's just checksums, no signatures.
However I committed the signature to svn. Does it build for anybody now?
Comment by David McAdoo (geecroof) - Thursday, 22 June 2017, 22:00 GMT
???

https://community.openvpn.net/openvpn/attachment/wiki/release-packages-2.4.3-2.3.17/openvpn-2.4.3.tar.xz.asc
Comment by David McAdoo (geecroof) - Thursday, 22 June 2017, 22:03 GMT
This one downloads them in zip archive
https://community.openvpn.net/openvpn/zip-attachment/wiki/release-packages-2.4.3-2.3.17/
Comment by David McAdoo (geecroof) - Thursday, 22 June 2017, 22:08 GMT
Sorry for this spam. This is link which you can use in PKGBUILD
https://community.openvpn.net/openvpn/raw-attachment/wiki/release-packages-2.4.3-2.3.17/openvpn-2.4.3.tar.xz.asc
Comment by Christian Hesse (eworm) - Thursday, 22 June 2017, 22:10 GMT
Ah, missed the attachments.
Nevertheless I will keep the signature in svn for now.

Let's hope they fix their release stuff for the next release. *holding thumbs*

Loading...