search

kpcyrd / pacman-bintrans

Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)
GNU General Public License v3.0
83 stars 4 forks source link

Signature verification failed #12

Closed nerd36 closed 2 years ago

nerd36 commented 3 years ago 
# pacman -S qt5-base 
warning: qt5-base-5.15.2+kde+r237-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) qt5-base-5.15.2+kde+r237-1

Total Installed Size:  65.15 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
[2021-11-14T03:12:51Z INFO  pacman_bintrans] Transparency proof is required for "https://manjaro.lucassymons.net/stable/extra/x86_64/qt5-base-5.15.2+kde+r237-1-x86_64.pkg.tar.zst", downloading into memory
[2021-11-14T03:13:05Z INFO  pacman_bintrans::proof] Trying to download transparency proof from "https://pacman-bintrans.vulns.xyz/sigs/qt5-base-5.15.2+kde+r237-1-x86_64.pkg.tar.zst.t"
[2021-11-14T03:13:07Z INFO  pacman_bintrans::proof] Calculating sha256sum for 18924753 bytes
[2021-11-14T03:13:07Z INFO  pacman_bintrans::proof] Verifying transparency signature
Error: Signature verification failed
kpcyrd commented 2 years ago

hi, the package that's distributed by Manjaro is not the same as the package distributed by Arch Linux, that's why the signature verification is failing:

$ diff <(tar xfO arch/qt5-base-5.15.2+kde+r237-1-x86_64.pkg.tar.zst .BUILDINFO) <(tar xfO manjaro/qt5-base-5.15.2+kde+r237-1-x86_64.pkg.tar.zst .BUILDINFO)
6,8c6,8
< pkgbuild_sha256sum = 4d045baa57efbcbe1f007d1ebb758d0bb1731232809bbd7e4cfafff89f880cab
< packager = Antonio Rojas <arojas@archlinux.org>
< builddate = 1633535752
---
> pkgbuild_sha256sum = 46c66136ae68376401ef345176790503c6aed810d9920ebdd842762f5ccdc4d9
> packager = Mark Wagie <mark@manjaro.org>
> builddate = 1633542054
10c10
< startdir = /startdir
---
> startdir = /build/qt5-base
25a26
> options = !lto
42c43,44
< installed = bash-5.1.008-1-x86_64
---
> installed = bash-5.1.008-3-x86_64
> installed = bashrc-manjaro-5.1.008-3-any
70c72
< installed = filesystem-2021.05.31-1-x86_64
---
> installed = filesystem-2021.01.19-1-x86_64
222a225
> installed = manjaro-keyring-20210910-2-any
239c242
< installed = pacman-mirrorlist-20210822-1-any
---
> installed = pacman-mirrors-4.21.5-1-any
256a260,265
> installed = python-certifi-2020.12.5-1-any
> installed = python-chardet-4.0.0-2-any
> installed = python-idna-3.2-1-any
> installed = python-npyscreen-4.10.5-5-any
> installed = python-requests-2.26.0-1-any
> installed = python-urllib3-1.26.6-1-any

The binaries also differ but the full diff for the package is too long to share unfortunately.

% diffoscope arch/qt5-base-5.15.2+kde+r237-1-x86_64.pkg.tar.zst manjaro/qt5-base-5.15.2+kde+r237-1-x86_64.pkg.tar.zst | tee diff.log
[...]
% ls -la diff.log 
.rw-r--r-- 608M user user 16 Nov 14:52 diff.log