lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 7 Mar 2021 15:10:49 +0100
From:   Ronald Warsow <rwarsow@....de>
To:     stable@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org
Subject: stable kernel checksumming fails

hello

getting stable kernels with this script:

https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball


fails since the last 2 (?) stable releases with (last lines):

...

+ /usr/bin/curl -L -o
/home/ron/Downloads/linux-tarball-verify.1GiZid5WT.untrusted/linux-5.11.4.tar.xz
https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.11.4.tar.xz
   % Total    % Received % Xferd  Average Speed   Time    Time     Time
Current
                                  Dload  Upload   Total   Spent    Left
Speed
100  112M  100  112M    0     0  5757k      0  0:00:19  0:00:19 --:--:--
5938k

pushd ${TMPDIR} >/dev/null
+ pushd /home/ron/Downloads/linux-tarball-verify.1GiZid5WT.untrusted
echo "Verifying checksum on linux-${VER}.tar.xz"
+ echo 'Verifying checksum on linux-5.11.4.tar.xz'
Verifying checksum on linux-5.11.4.tar.xz
if ! ${SHA256SUMBIN} -c ${SHACHECK}; then
     echo "FAILED to verify the downloaded tarball checksum"
     popd >/dev/null
     rm -rf ${TMPDIR}
     exit 1
fi
+ /usr/bin/sha256sum -c
/home/ron/Downloads/linux-tarball-verify.1GiZid5WT.untrusted/sha256sums.txt
/usr/bin/sha256sum:
/home/ron/Downloads/linux-tarball-verify.1GiZid5WT.untrusted/sha256sums.txt:
no properly formatted SHA256 checksum lines found
+ echo 'FAILED to verify the downloaded tarball checksum'
FAILED to verify the downloaded tarball checksum
+ popd
+ rm -rf /home/ron/Downloads/linux-tarball-verify.1GiZid5WT.untrusted
+ exit 1


checksumming the downloaded kernel manually gives an "Okay" though.


is this just me (on Fedora 33) ?


--
regards

Ronald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ