VHD files are newer than signed SHA256 checksums
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hello
at https:/
the Azure/Hyper-V VHD ZIP file looks newer than the checksum files...
currently the checksums have timestamps of:
[ ] SHA256SUMS.gpg 22-Mar-2019 01:55 836
[ ] SHA256SUMS 22-Mar-2019 01:55 3.3K
[ ] SHA1SUMS.gpg 22-Mar-2019 01:53 836
[ ] SHA1SUMS 22-Mar-2019 01:53 2.6K
[ ] MD5SUMS.gpg 22-Mar-2019 01:50 836
[ ] MD5SUMS 22-Mar-2019 01:50 2.3K
but the vhd.zip file has a timestamp of:
[ ] cosmic-
why is the VHD file newer than the checksums? why was it modified after the checksums were signed?
and also, why are the VHD files not included in the signed MD5/SHA1/SHA256 checksums?
That last line is related to this old bug from 2017...
https:/
which seems to be still around, even if it was marked as "Fix Released" back then, it looks to me that it's a bug regression.
information type: | Private Security → Public Security |
update: i see the same type of checksum-related bug for Ubuntu Disco Dingo: the Hyper-V VHD images are newer than the checksums and are not listed inside the signed checksums themselves:
at https:/ /cloud- images. ubuntu. com/disco/ current/ ?C=M;O= D
[ ] disco-server-
[ ] SHA256SUMS.gpg 25-Mar-2019 09:41 836
[ ] SHA256SUMS 25-Mar-2019 09:41 3.3K
[ ] SHA1SUMS.gpg 25-Mar-2019 09:38 836
[ ] SHA1SUMS 25-Mar-2019 09:38 2.5K
[ ] MD5SUMS.gpg 25-Mar-2019 09:35 836
[ ] MD5SUMS 25-Mar-2019 09:35 2.3K