Apt and Soyuz generating release files with invalid SHA256 signatures
Bug #243630 reported by
Ryan Hass
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Celso Providelo | ||
apt (Ubuntu) |
Fix Released
|
Critical
|
Michael Vogt |
Bug Description
The following are just a two examples of the errors in the Release file.
http://
40d48bc44164c1
baa89858c7e545
Actual:
$ sha256sum main/binary-
0d9685d8353341e
5b906ae167349ec
Related branches
Changed in soyuz: | |
assignee: | nobody → cprov |
importance: | Undecided → High |
milestone: | none → 1.99 |
status: | New → Confirmed |
Changed in soyuz: | |
milestone: | 1.99 → none |
Changed in soyuz: | |
status: | Confirmed → In Progress |
Changed in soyuz: | |
milestone: | none → 2.1.9 |
status: | In Progress → Confirmed |
Changed in soyuz: | |
status: | Confirmed → In Progress |
Changed in soyuz: | |
status: | Fix Committed → Fix Released |
tags: | added: tech-debt |
To post a comment you must log in.
I tested this out to confirm Ryan's findings:
I downloaded http:// archive. ubuntu. com/ubuntu/ dists/hardy/ Release and http:// archive. ubuntu. com/ubuntu/ dists/hardy/ main/binary- amd64/Packages. gz
"md5sum Packages.gz" matches the md5sum data in the Release file. "sha256sum Packages.gz" does NOT match. These are the correct files, but the sha256 hashes do not appear to be being generated correctly.
This is using versions 6.10 of both md5sum and sha256sum, and Release and Packages.gz downloaded from archive.ubuntu.com at 14:51 PDT today.
(Full disclosure: Ryan and I work for the same organization.)