search

ivpn / desktop-app

Official IVPN Desktop app
https://www.ivpn.net/apps/
GNU General Public License v3.0
372 stars 50 forks source link

Invalid signature & SHA256 mismatch of 3.14.14 #382

Closed pwn-all closed 2 months ago

pwn-all commented 5 months ago

Bug report

Describe your environment

Describe the problem

Not valid update file signature and SHA256 hash does not match.

Steps to reproduce:

  1. Previously installed by official instruction (https://www.ivpn.net/knowledgebase/linux/fedora-silverblue/)
  2. Try update the app

Observed Results:

error: importing RPMs: package ivpn-ui-3.14.14-1.x86_64 cannot be verified and repo ivpn-stable is GPG enabled: /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm could not be verified. /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm: DIGEST: SIGNATURE: NOT OK

$ sha256sum /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm d2598298369c4d766d60e878bf48b2fa2a9ae5daae7b363561cb627bf9774aeb /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm

Expected Results:

Normal update

stenya commented 2 months ago

I suppose this is because the RPM repository uses SHA1 hashes, which are not allowed by some modern distributions. Related ticket: https://github.com/ivpn/desktop-app/issues/390

stenya commented 2 months ago

v3.14.17

gorkapernas commented 2 months ago

Tested updated from v3.14.14 to v3.14.17 on Fedora Silverblue 40, no issues found. See https://github.com/ivpn/desktop-app/issues/390 for further details.

stenya commented 2 months ago

The RPM repository now uses the SHA-256 hash algorithm.