SHA256 file lists wrong hash for the file libressl.asc #1094
Comments
|
On Tue, Sep 10, 2024 at 06:51:34AM -0700, jb-wisemo wrote:
In the portable release download directory https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/, there is an SHA256 file helpfully providing hashes of most other files. Unfortunately, the hash of libressl.asc as downloaded by me doesn't match the hash of libressl.asc in the SHA256 as downloaded by me.
To me this indicates one of 3 problems:
A: Someone at the project failed to keep the files in sync with each other.
B: Someone nefarious changed the libressl.asc file to a fraudulent signing key.
C: Someone nefarious changed the SHA256 file to force this problem as part of some larger attack plan.
Since you downloaded the file from https, you can be pretty sure it's A...
@busterb I suggest we fix this when we release 4.0.0. Please place the
libressl.asc in the dir with the other artefacts for me to sign.
P.S., the SHA256 file seems to not list hashes for the *.tar.gz.asc files, which supposedly won't change unless some future security issue requires resigning all old releases with a new key or tool ONCE.
The SHA256 file is there mostly for generating the SHA256.sig, which is
used by an obscure OpenBSD specific tool. It doesn't make much sense to
include the GPG signature files there (libressl.asc is special).
P.P.S., the SHA256 file format is nonstandard, but converting to standard md5sum/sha256sum format is a one line script and changing the official file would probably mess up some obscure OpenBSD specific tools, so just keep the nonstandard format for now.
No need for a one liner. sha256sum -c understands this file format.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the portable release download directory https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/, there is an SHA256 file helpfully providing hashes of most other files. Unfortunately, the hash of libressl.asc as downloaded by me doesn't match the hash of libressl.asc in the SHA256 as downloaded by me.
To me this indicates one of 3 problems:
A: Someone at the project failed to keep the files in sync with each other.
B: Someone nefarious changed the libressl.asc file to a fraudulent signing key.
C: Someone nefarious changed the SHA256 file to force this problem as part of some larger attack plan.
P.S., the SHA256 file seems to not list hashes for the *.tar.gz.asc files, which supposedly won't change unless some future security issue requires resigning all old releases with a new key or tool ONCE.
P.P.S., the SHA256 file format is nonstandard, but converting to standard md5sum/sha256sum format is a one line script and changing the official file would probably mess up some obscure OpenBSD specific tools, so just keep the nonstandard format for now.
The text was updated successfully, but these errors were encountered: