Ubuntu
apt package

  1. Bug #243630
  2. Comment #7

Comment 7 for bug 243630

Revision history for this message
Michael Vogt (mvo) wrote : Re: Hardy release files contain invalid SHA256 signatures.

It turns out that it is not as easy as this:

$ dd if=/dev/urandom of=foo bs=1 count=270 ; python -c 'import apt_pkg; print apt_pkg.sha256sum(open("foo").read())' ; sha256sum foo
270+0 records in
270+0 records out
270 bytes (270 B) copied, 0,00338191 s, 79,8 kB/s
002cba6fd9622137d286dcc428ed49f225d36d3b44b503db9ac816bf5b2a090e
002cba6fd9622137d286dcc428ed49f225d36d3b44b503db9ac816bf5b2a090e foo

So the content seems to be the key here. And indeed:
$ dd if=/dev/urandom of=foo bs=1k count=270 ; uuencode foo foo > foo2; python -c 'import apt_pkg; print apt_pkg.sha256sum(open("foo2").read())' ; sha256sum foo2
270+0 records in
270+0 records out
276480 bytes (276 kB) copied, 0,133452 s, 2,1 MB/s
ffcb3d53079b45720f3037d01b6adcda78c1df6a41963049d900d910c6e9d7a0
ffcb3d53079b45720f3037d01b6adcda78c1df6a41963049d900d910c6e9d7a0 foo2

is fine as are the uncompressed sha256 Package files (this is why it went unnoticed for so long).