kernel.org signer broken?

kernel.org signer broken?

[Jeremy M. Dolan]

The signature on man-pages-1.34.tar.gz is bad:

  gpg: Signature made Sun Dec 24 10:56:01 2000 CST using DSA key ID
       517D0F0E
  gpg: BAD signature from "Linux Kernel Archives Verification Key
       <ftpadmin@kernel.org>"

I retrieved the man pages from ftp.kernel.org and ftp.us.kernel.org
with ftp(1) from NetKit and lftp. The md5sum's of all match:

13d544485d6021e3b0585ad963bfd814  man-pages-1.34.tar.gz
29f314640ef28a47f0ed15247c1efcd7  man-pages-1.34.tar.gz.sign

(transfered the .sign file in both bin and ascii modes, no differance)

Everything else I've gotten recently has had a valid signature;
linux-2.4.0.tar.gz and patch-2.4.1-pre1.gz.

Since man pages can be used as trojans, this may be a problem.

-- 
Jeremy M. Dolan <jmd@turbogeek.org>
OpenPGP key = http://turbogeek.org/openpgp-key
OpenPGP fingerprint = 494C 7A6E 19FB 026A 1F52  E0D5 5C5D 6228 DC43 3DEE
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: kernel.org signer broken?

[Andries.Brouwer]

> The signature on man-pages-1.34.tar.gz is bad:

Hmm, thought I had corrected that already.
Is it correct now?

Andries
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: kernel.org signer broken?

[H. Peter Anvin]

Andries.Brouwer@cwi.nl wrote:
> 
> > The signature on man-pages-1.34.tar.gz is bad:
> 
> Hmm, thought I had corrected that already.
> Is it correct now?
> 
> Andries

Because an updated signature has the same timestamp and size, it can take
up to 24 hours for it to hit ftp.kernel.org, and even longer to propagate
to the mirrors, unfortunately.

	-hpa

-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: kernel.org signer broken?

[Matti Aarnio]

On Fri, Jan 12, 2001 at 12:23:48PM -0800, H. Peter Anvin wrote:
> Andries.Brouwer@cwi.nl wrote:
> > > The signature on man-pages-1.34.tar.gz is bad:
> > 
> > Hmm, thought I had corrected that already.
> > Is it correct now?
> > 
> > Andries
> 
> Because an updated signature has the same timestamp and size, it can take
> up to 24 hours for it to hit ftp.kernel.org, and even longer to propagate
> to the mirrors, unfortunately.

	Ok, then rsync  won't find it either unless driven in
	file CRC verification mode (which is not usual...)

	You *must* change its time (e.g. with touch).

> 	-hpa
> -- 
> <hpa@transmeta.com> at work, <hpa@zytor.com> in private!

/Matti Aarnio
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: kernel.org signer broken?

[H. Peter Anvin]

Matti Aarnio wrote:
> 
> On Fri, Jan 12, 2001 at 12:23:48PM -0800, H. Peter Anvin wrote:
> > Andries.Brouwer@cwi.nl wrote:
> > > > The signature on man-pages-1.34.tar.gz is bad:
> > >
> > > Hmm, thought I had corrected that already.
> > > Is it correct now?
> > >
> > > Andries
> >
> > Because an updated signature has the same timestamp and size, it can take
> > up to 24 hours for it to hit ftp.kernel.org, and even longer to propagate
> > to the mirrors, unfortunately.
> 
>         Ok, then rsync  won't find it either unless driven in
>         file CRC verification mode (which is not usual...)
> 

Right; kernel.org does that once a day.

>         You *must* change its time (e.g. with touch).
> 

Unfortunately, you can't -- because the signer relies on the timestamp to
know if the file it is mirroring has changed.

Probably the best solution is to touch the original file.

	-hpa

-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/