Project

General

Profile

GPG reports BAD signature for replicant-4.2-i9100.zip

Added by Tiberiu T over 8 years ago

Are you aware of this issue?

gpg --armor --verify path/to/recovery.img.asc path/to/recovery.img
gpg: Good signature from "Replicant project release key <>"

but,

gpg --armor --verify path/to/replicant-4.2-i9100.zip.asc path/to/replicant-4.2-i9100.zip
gpg: BAD signature from "Replicant project release key <>"

Downloaded from:
http://ftp-osl.osuosl.org/pub/replicant/images/replicant-4.2/0004/images/i9100/

And md5sum check was successful:

md5sum -c i9100.md5
recovery.img: OK
replicant-4.2-i9100.zip: OK

Thanks for looking into it.


Replies (3)

RE: GPG reports BAD signature for replicant-4.2-i9100.zip - Added by Paul Kocialkowski over 8 years ago

Everything works here, and it all looks good from the server. If the md5sum matches, perhaps something went wrong when downloading the signature file?

If this is what you use to preinstall Replicant on the devices you're selling, please don't ship any without getting it right. It might be that your download is compromised!

RE: GPG reports BAD signature for replicant-4.2-i9100.zip - Added by Tiberiu T over 8 years ago

I downloaded again the replicant-4.2-i9100.zip.asc file and it looks different:

The one before:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJUhENqAAoJEBbR/u5KgOsjCAcIAKb4uTk3dWqASUSsu1Nijd0f
hlBK4T9cVYaKDkF8RXngiK/qK/0CoT/n2UOMHbItRoA9iy7mZhAMd3hAG2ybpqzX
DZLceyVOjlaroldGLeEoYe0kcTI9N9AsFP6mF4pWSlYrY77y3w6ocgVO4u/9z8vL
DIAtziHCbd5Fkk9487mX6VbRDqSMPrNKZmXOZ3n3+sMge7B85jg/Lxhl3OAcnoZz
sqy/Mo5SvJPziEA2BSPAXHNigLehIwsBwWDtzVqHbVnOiBH4wezwrlwUAbxL/W42
2MmhtGeJ5Bk1Zk3m7Cd0Qo15tYQAoChSGgb5AVCr+vkIPEWwWsZloN41Bc2YrpY=
=EDK1
-----END PGP SIGNATURE-----

The second one:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJV5YynAAoJEBbR/u5KgOsjOZEH/2eVep3c3G7lWhJ3EOe6/vhK
f7mKkRP9Y0VCeGUoS2kFRcsfF9TOb5MJv/2psVsc+JtpBtLw30Tzsla4LXG1M/QY
MJW5J/FDLt4s9JfGHjQwePf2oBXqSeq6N2/aRwns7aJJAtmyib2fi+hncadBt/vu
1AUm+eIEl16fnukdMIse0QuZDpVT9tOOykINgYS/BTeTDaUs6y2g7PfNZDA60+Z8
kZypo17KYUM0qxfWOIJ2VXEYiDRMnZXkTbWEpZzS7zn9Ze4vwCXG0FtmpEY3f4/q
1OT++3gnE9U2cMTHdVlRVIuWWBHbgIwsEhWOi+19SG1CCrfRwE9zDKeyJIsDKsI=
=mJ1/
-----END PGP SIGNATURE-----

See the difference starts at U/V.

GPG reports the second one as being a "good signature" for the image I have downloaded before. Probably the download of the replicant-4.2-i9100.zip.asc file went wrong, as you assumed.

I haven't shipped any device without this being sorted out. That's why I wrote here.

The MD5 sum was correct for replicant-4.2-i9100.zip and it was highly unlikely that the image I downloaded was compromised. Please try to not spread FUD by mistake. It's not the first time I'm flashing Replicant and this time when something didn't add up, I checked with you.

Also, I think it could be useful to provide MD5 sums for the signature files too in the .md5 file.

Thanks for being prompt.

RE: GPG reports BAD signature for replicant-4.2-i9100.zip - Added by Paul Kocialkowski over 8 years ago

I downloaded again the replicant-4.2-i9100.zip.asc file and it looks different

Okay, that's still very strange, but let's say it was just some random error when downloading.

I haven't shipped any device without this being sorted out. That's why I wrote here.

Good thing!

The MD5 sum was correct for replicant-4.2-i9100.zip and it was highly unlikely that the image I downloaded was compromised. Please try to not spread FUD by mistake.

You simply cannot assume that. If you had been attacked, it could have been that the zip and md5 contained tempered contents and only the signature remained original.

Also, I think it could be useful to provide MD5 sums for the signature files too in the .md5 file.

That's not a bad idea, the current release script does things the other way round, but it would be beneficial to do it as you suggest.

Good to hear that everthing's fine now :)

    (1-3/3)