Opened 4 years ago

Closed 4 years ago

#1405 closed defect (fixed)

Corrupt I2P 0.9.16 Source Archive on Sigterm.no mirror

Reported by: somewon Owned by:
Priority: major Milestone: 0.9.16
Component: www/i2p Version:
Keywords: Cc:
Parent Tickets:

Description

Seems like the upload of i2psource_0.9.16.tar.bz2 to sigterm.no got corrupted - GPG sig check fails and sha256sum doesn't match the one listed. Using another mirror works as expected.

Tested with multiple downloads via (presumably) multiple Tor exit nodes. File is consistent each time (sha256sum ecf74f36440d02ffe810e9f650adc0dcd959616899d8fc6fe372d5148af0398a) and always different from the sig and posted sha256sum.

Subtickets

Change History (1)

comment:1 in reply to: ↑ description Changed 4 years ago by killyourtv

  • Priority changed from minor to major
  • Resolution set to fixed
  • Status changed from new to closed

Replying to somewon:

Seems like the upload of i2psource_0.9.16.tar.bz2 to sigterm.no got corrupted - GPG sig check fails and sha256sum doesn't match the one listed. Using another mirror works as expected.

(I have been granted access to the box in question..woo)

I confirmed your findings. Thank you for reporting.

kytv@i2ptorgw:/var/www/i2pdownload/releases/0.9.16$ gpg --verify i2psource_0.9.16.tar.bz2.sig 
gpg: Signature made Sat Nov  1 19:04:08 2014 UTC using RSA key ID 59683006
gpg: BAD signature from "zzz on i2p (key signing) <zzz@mail.i2p>"

It is now fixed.

Since I've got rights to add files to the server, this shouldn't happen again.

Note: See TracTickets for help on using tickets.