search

postmodern / ruby-install

Installs Ruby, JRuby, TruffleRuby, or mruby
MIT License
1.89k stars 250 forks source link

PGP: cannot verify release 0.9.0 #447

Closed konstantindt closed 1 year ago

konstantindt commented 1 year ago

Description

PGP: cannot verify release 0.9.0 using key at https://postmodern.github.io/pgp/.

(Also tried to get key from https://github.com/postmodern.gpg but the export doesn't work.)

Steps To Reproduce

Steps to reproduce the bug: see the README Install section.

Expected Behavior

$ gpg --verify ruby-install-0.9.0.tar.gz.asc ruby-install-0.9.0.tar.gz

exit code to be 0.

Actual Behavior

$ gpg --verify ruby-install-0.9.0.tar.gz.asc ruby-install-0.9.0.tar.gz
gpg: Signature made Mon Jan 30 18:44:58 2023 CST
gpg:                using DSA key 04B2F3EA654140BCC7DA1B5754C3D9E9B9515E77
gpg: BAD signature from "Postmodern Modulus III (Postmodern) <postmodern.mod3@gmail.com>" [unknown]

exit code is 1.

Environment

$ ruby-install --version
NA
$ uname -a
Linux XXX 4.9.0-326-antix.1-amd64-smp #1 SMP PREEMPT Fri Aug 26 21:21:08 EEST 2022 x86_64 GNU/Linux
$ cc --version
cc (Debian 10.2.1-6) 10.2.1 20210110
...
$ openssl version
OpenSSL 1.1.1n  15 Mar 2022
$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
...

Home: /home/xxx/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ gpg --list-keys
/home/xxx/.gnupg/pubring.kbx
-------------------------------------
pub   dsa1024 2009-09-18 [SCA]
      04B2F3EA654140BCC7DA1B5754C3D9E9B9515E77
uid           [ unknown] Postmodern Modulus III (Postmodern) <[postmodern.mod3@gmail.com](mailto:postmodern.mod3@gmail.com)>
sub   elg4096 2009-09-18 [E]
postmodern commented 1 year ago

What does gpg --fingerprint 0xB9515E77 output and what is the contents of ruby-install-0.9.0.tar.gz.asc?

konstantindt commented 1 year ago 
$ gpg --fingerprint 0xB9515E77
pub   dsa1024 2009-09-18 [SCA]
      04B2 F3EA 6541 40BC C7DA  1B57 54C3 D9E9 B951 5E77
uid           [ unknown] Postmodern Modulus III (Postmodern) <[postmodern.mod3@gmail.com](mailto:postmodern.mod3@gmail.com)>
sub   elg4096 2009-09-18 [E]

$ cat ruby-install-0.9.0.tar.gz.asc
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQQEsvPqZUFAvMfaG1dUw9npuVFedwUCY9hkigAKCRBUw9npuVFe
dy0CAJ48Q4nNCuXAfiM1Ig11XRhXEw/uWgCbBViRxK0y1gM29a+z93YYWUX61HQ=
=gd7+
-----END PGP SIGNATURE-----
postmodern commented 1 year ago

@konstantindt the fingerprint and .asc match what I have. That means the ruby-install-0.9.0.tar.gz file must have been corrupted or not fully downloaded? Here are the checksums I have for ruby-install-0.9.0.tar.gz:

postmodern commented 1 year ago

@konstantindt OK this is weird. I re-downloaded ruby-install-0.9.0.tar.gz from GitHub and it's not the same file. I extracted both my original download of ruby-install-0.9.0.tar.gz, which the PGP .asc signature file was generated from, and the newly downloaded version but there's no difference in any of the files. I assume GitHub repacked the tar archives or something?

postmodern commented 1 year ago

Confirmed that something is different in the GZip compression of the .tar.gz files, but the .tar archives are unchanged.

$ $ wget -O ruby-install-0.9.0.tar.gz https://github.com/postmodern/ruby-install/archive/v0.9.0.tar.gz
--2023-04-19 15:45:36--  https://github.com/postmodern/ruby-install/archive/v0.9.0.tar.gz
Resolving github.com (github.com)... 192.30.255.112
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/postmodern/ruby-install/tar.gz/refs/tags/v0.9.0 [following]
--2023-04-19 15:45:36--  https://codeload.github.com/postmodern/ruby-install/tar.gz/refs/tags/v0.9.0
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘ruby-install-0.9.0.tar.gz’

ruby-install-0.9.0.tar     [ <=>                        ]  33.73K  --.-KB/s    in 0.02s   

2023-04-19 15:45:36 (1.64 MB/s) - ‘ruby-install-0.9.0.tar.gz’ saved [34536]

$ mv ruby-install-0.9.0.tar.gz new-ruby-install-0.9.0.tar.gz
$ cp /path/to/ruby-install/pkg/ruby-install-0.9.0.tar.gz orig-ruby-install-0.9.0.tar.gz
$ cmp orig-ruby-install-0.9.0.tar.gz new-ruby-install-0.9.0.tar.gz 
orig-ruby-install-0.9.0.tar.gz new-ruby-install-0.9.0.tar.gz differ: byte 12, line 1
$ gunzip --keep orig-ruby-install-0.9.0.tar.gz 
$ gunzip --keep new-ruby-install-0.9.0.tar.gz 
$ cmp orig-ruby-install-0.9.0.tar new-ruby-install-0.9.0.tar
konstantindt commented 1 year ago 
GET https://codeload.github.com/postmodern/ruby-install/tar.gz/refs/tags/v0.9.0

returns

302 Found ... Location: https://codeload.github.com/postmodern/ruby-install/tar.gz/refs/tags/v0.9.0 ...

and the redirect URL, *codeload*tar.gz/refs/*, sounds like a package command rather than direct download.

postmodern commented 1 year ago

Looks like this is a known issue, which oddly was reported on the same day I released 0.9.0:

I guess I could manually upload all of the .tar.gz and .tar.gz.asc files I have on disk as GitHub Releases.

postmodern commented 1 year ago

Done. I updated the README instructions to use the GitHub Release URL, which I manually uploaded both the original .tar.gz and .tar.gz.asc.