From lurker-index@localhost Sun Apr 23 22:30:41 2017
Date: Sun, 23 Apr 2017 22:30:41 +0200
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
To: dng <dng@lists.dyne.org>
Subject: Re: [DNG] BAD sig with Devuan Jessie 1.0.0-RC
Message-ID: <20170423203041.GA22158@g0n.xdwgrp>
References: <20170423152414.GA29324@g0n.xdwgrp>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD"
Content-Disposition: inline
In-Reply-To: <20170423152414.GA29324@g0n.xdwgrp>
User-Agent: Mutt/1.8.1 (2017-04-11)


--EuxKj2iCbKjpUGkD
Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline


--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Thanks, Rick Moen (in the other short reply, where he suggested pasting
somewhere, what? the trace?, probably not... But the hashes *are* there
in my previous mail, and thanks to PGP they are verifiably exactly what
I sent...)... But I'll see to the missing information. I'm now starting
more serious work on this.

On 170423-17:24+0200, Miroslav Rovis wrote:
> I already sent this message, but it's 110k altogether, and it's awaiting:
>=20
=2E..
> Because  I'm removing the network trace, which is 83k, and makes the
> mail 110k (because of base64). The rest is the same as in previous email
> which is awaiting moderation.
>=20
=2E..
> ( $ wget \
> https://files.devuan.org/devuan_jessie_rc/installer-iso/devuan_jessie_1.0=
=2E0-RC_amd64_DVD.iso
> )

Pls. see about these below in my previous email:
> But let's get the possibility that the hash and sig files that I also dow=
nloaded
> from:
> https://files.devuan.org/devuan_jessie_rc/installer-iso/
>=20
> are to blame.

In the mail the moderators let through there is (I'll post that email at:

https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/
### --> non-existent at the time of writing this <-- ####

along with other stuff, more below on my plans)
> The shortest is the network trace upon getting the BAD signature upon
> verification, attached (minimal anonymization of just the MACs with done
> on it as per my script dump_perl_repl.sh avalable at
> https://github.com/miroR/uncenz ):
>=20
> dump_170423_1642_g0n.pcap

And I'll post that now hours old trace above too (reading the network is
such slow work...).

> which is all in cleartext (no SSL), because I redownloaded
>=20
> wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS.asc
> and
> wget http://devuan.c3l.lu/devuan_jessie_rc/installer-iso/SHA256SUMS
>=20

et cetera...

What I reported is still the case (well it was half an hour or one hour
ago when I started writing this very email that you're reading)...

This is actual paste from terminal (I removed just what is before $):

$ wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS.a=
sc
--2017-04-23 21:02:35--  https://files.devuan.org/devuan_jessie_rc/installe=
r-iso/SHA256SUMS.asc
Resolving files.devuan.org... 104.236.249.173
Connecting to files.devuan.org|104.236.249.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1513 (1.5K) [application/octet-stream]
Saving to: =E2=80=98SHA256SUMS.asc=E2=80=99

SHA256SUMS.asc              100%[=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D>]   1.48K  --.-KB/s    in 0s     =20

2017-04-23 21:02:35 (36.1 MB/s) - =E2=80=98SHA256SUMS.asc=E2=80=99 saved [1=
513/1513]

$ wget https://files.devuan.org/devuan_jessie_rc/installer-iso/SHA256SUMS
--2017-04-23 21:02:37--  https://files.devuan.org/devuan_jessie_rc/installe=
r-iso/SHA256SUMS
Resolving files.devuan.org... 104.236.249.173
Connecting to files.devuan.org|104.236.249.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 621 [application/octet-stream]
Saving to: =E2=80=98SHA256SUMS=E2=80=99

SHA256SUMS                  100%[=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D>]     621  --.-KB/s    in 0s     =20

2017-04-23 21:02:38 (9.67 MB/s) - =E2=80=98SHA256SUMS=E2=80=99 saved [621/6=
21]

$ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made Sat 22 Apr 2017 09:44:23 CEST
gpg:                using RSA key 73B35DA54ACB7D10
gpg: BAD signature from "Denis Roio (Jaromil) <jaromil@dyne.org>" [unknown]
$ gpg --recv-key 73B35DA54ACB7D10
gpg: key 73B35DA54ACB7D10: "Denis Roio (Jaromil) <jaromil@dyne.org>" not ch=
anged
gpg: Total number processed: 1
gpg:              unchanged: 1
$ grep devuan_jessie_1.0.0-RC_amd64_DVD.iso SHA256SUMS
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837  devuan_je=
ssie_1.0.0-RC_amd64_DVD.iso
$ grep devuan_jessie_1.0.0-RC_amd64_DVD.iso SHA256SUMS > SHA256SUMS_CHECK
$ cat SHA256SUMS_CHECK
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837  devuan_je=
ssie_1.0.0-RC_amd64_DVD.iso
$ sha256sum -c SHA256SUMS_CHECK
devuan_jessie_1.0.0-RC_amd64_DVD.iso: OK
$

I've got this trace:

a82af49c5c65aeb83e5cc4b136c38041d44121d029b3b662f7315008d87f30ac  dump_1704=
23_2102_g0n.pcap
f29ee5925bd400168b48cdcfef192be5d5d6ed9c90a80cde6c1a8591371be16d  dump_1704=
23_2102_g0n_SSLKEYLOGFILE.txt

for the above event.

I'll be working on this, whatever be the reason for the BAD sig on that has=
h,
that it be trivial forgetfulness or that it be MiTM deployed, because it is=
 exactly
for reasons like this that I put together my: https://github.com/miroR/unce=
nz

If I don't break, it should be on:

https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/

(non-existent directory at the time of writing of this email, and it
will be not just a little bit of work...)

What are the reasons that I put together my uncenz? (Which, BTW it would
be great if a real programmer made it something more generally useable,
because my skills are too insufficient...)

E.g. if anybody used my uncenz to record those events that are now
undocumented, and I say they are undocumented because this:

Why I don't want to have P=C3=B6ttersoft on mysystem
https://lists.dyne.org/lurker/message/20170417.151111.69a2f3e0.en.html

is just a say-so, even though by respectable author, that's not verifiably =
reported event...

But if somebody alerted me to record it with my uncenz, it would have
been documented for posterity... (Granted also that I would have been
available in time, which, sadly is just not always the case, I work
terribly slow...)

And if this PGP-signature failing is an attack or if it is a blunder, I
really don't know. But I also don't want anybody to think that my claims
are just mistakes of a user who is that badly incapable, I don't want
that either...

---

Pls., so I can try and start installing Devuan for real, can any of you
developers in charge PGP-sign an answer to this question of mine with
your PGP-key, so I can believe that I got genuine Devuan media? Pls. sign
your answer to the following question:

Is this media:

devuan_jessie_1.0.0-RC_amd64_DVD.iso

=66rom:

https://files.devuan.org/devuan_jessie_rc/

correct if its hash is:

f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837  devuan_je=
ssie_1.0.0-RC_amd64_DVD.iso

?

Thank you!

---
I'm also attaching the SHA256SUMS.asc SHA256SUMS from the new event
futher above (and they are the same ones as in my previous email!, just
this time gotten anew; however, they will be extractable from the trace
once I post it at the already mentioned, at the time of writing
inexistent url on CroatiaFidelis.hr), reported by the paste from my
terminal, and also which network trace, and the effemeral SSL-keys hash
like below:

a82af49c5c65aeb83e5cc4b136c38041d44121d029b3b662f7315008d87f30ac  dump_1704=
23_2102_g0n.pcap
f29ee5925bd400168b48cdcfef192be5d5d6ed9c90a80cde6c1a8591371be16d  dump_1704=
23_2102_g0n_SSLKEYLOGFILE.txt

(
but of course, I'm not attaching those, they will be on:
https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/
--at the time of writing inexistent--
if I don't break in the meantime, ermh... from mental stress ;-(
)

Thanks again if any of you devs in charge confirm that the SHA256 sum
that I downloaded is correct! And thanks for everybody's patience (of
which more will likely be needed)...

--=20
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=SHA256SUMS

39ac1f1cdd007e998a99b6ba083ee230df1178c2675dff06356afd8724829e8c  devuan_jessie_1.0.0-RC_amd64_CD.iso
f4b0fc1fd3c7769055f4b611d8173a6a3be38eced0bcc72c65cc2fefa0914837  devuan_jessie_1.0.0-RC_amd64_DVD.iso
d418998acbae2a7c6a60430c6192e13da7c8ad14da4a63fafe3b08a79621914d  devuan_jessie_1.0.0-RC_amd64_NETINST.iso
0e7b035065f8edb2382c33be399084db75310e24c8202f7eda0f6446d4cee243  devuan_jessie_1.0.0-RC_i386_CD.iso
c8503f5196a2fc5663d277f2e4741fed17028011bbb4cd1fcb1dfc0751036eb1  devuan_jessie_1.0.0-RC_i386_DVD.iso
ac8314c6289542f6dd988290a58f491c267aa7dfd0db98be4d974b70cef5dd4d  devuan_jessie_1.0.0-RC_i386_NETINST.iso

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-encrypted
Content-Disposition: attachment; filename="SHA256SUMS.asc"
Content-Transfer-Encoding: quoted-printable

Version: 1

--vtzGhvizbBRQ85DL--

--EuxKj2iCbKjpUGkD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/PEyRe0kfc5EOFW36piEiE+68K4FAlj9Du4ACgkQ6piEiE+6
8K4XJA/+N5sPyyHW4ZhsDCk5mRFbV3n5wwEud+DnuazXP1EYdMTdTgI5goXzN4JV
NIkYtVRLHVOVnG9h3LxPNQLNZ5YaAURGQ/uV55aqpim4cwZUUca+pSi/CuCni/QG
PfTM2eZ31/MHIR6QqtroYHT4G1xT+qpMjRkCgTHp6mwuuWVycqJB5zoY3/eS9+/+
oLO/Jv6gxOkgYTlcEE56BYq45NjlwOH/XwoGEhG2tqCSXDKGBfXT1zGkH8fEIpce
X5refb0EsOhV7D0Nnmroih92SuOXMkSj6tuizT8gijPXqh7rURuTSg36/nNlLxc0
Q3z50a1SR1HX2uSnsAwbEKV/juykC0k5qfDPoG3d8MkyfKs0cGE9rMUmSCEu6lbx
duue5+EZDOuE25IIz1ILbw1J/5iK+3HIpzeKmmmjl/+2EJC3FbpPo/+M/TbOqa9+
7CwGgqt0/mUr4tRjl0a1RQs5xEaHqNMJUXSVGqiPz5JfZSS4+MpzlD/N51fergsl
8af97PPiWhRk0VP7/E59Vy6kIbIgcy3k74UpMfpEl/1h0Gbrobs8wUn57DkK7syZ
iFIhSyMuIYxvNwPYy4IoV/ezigQ3trKzrhOz5Z21VEQdUQRTu7N74nzUcfL1qgse
CO+WwG+xmQ4kP4P3+K4zKNJzQ0NpYIZiUbbP7L/InbnOJKKtIjg=
=0Suk
-----END PGP SIGNATURE-----

--EuxKj2iCbKjpUGkD--
