search

jsha / gpg-download-verifier

Verify various styles of GPG download signatures using TOFU.
7 stars 4 forks source link

Hash mismatch with SHA256SUMS gives misleading error #4

Open jsha opened 9 years ago

jsha commented 9 years ago

Steps to reproduce:

  1. Download a file, plus SHA256SUMS and SHA256SUMS.gpg
  2. Corrupt the file in some way (e.g. truncate it).
  3. Run gpg-download-verifier.

Expected result:

Output indicates "Found file in SHA256SUMS, but hash doesn't match. File may be corrupted."

Actual result:

Didn't find signature file or SHA_SUMS (+SHA_SUMS.asc). Need to download?