Official repo signature seems to be broken

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)

https://www.process-one.net/en/ejabberd/

Other

6.01k stars 1.5k forks source link

Official repo signature seems to be broken #4111

Closed luizluca closed 8 months ago

luizluca commented 8 months ago

Although the RPM signature is OK:

$ rpm -K ejabberd-23.10-1.x86_64.rpm 
ejabberd-23.10-1.x86_64.rpm: digests signatures OK

The repomd.xml does not verify, even with key marked as ultimately trusted:

$ md5sum repomd.xml repomd.xml.asc
484b8089fb32bd3ea438bcddcb4dd0f5  repomd.xml
9bb5f480e171e497ca2e481c691c1357  repomd.xml.asc
$ LANG=C gpg2 --verify repomd.xml.asc repomd.xml  
gpg: Signature made Tue Oct 24 12:19:25 2023 -03
gpg:                using RSA key 651C08E9330DD31D8D7DF23A6F97DBF7353A8563
gpg: BAD signature from "ejabberd <contact@process-one.net>" [ultimate]

luizluca commented 8 months ago

I have 3 different files that should be the same:

75526d9da74a8f56bad86b77275af50d4e30a341207ff78aebd04d8074212fd7 ejabberd-23.10-1.x86_64.rpm d7d49d2a4300421104d6ad020abc01c028f6388ad30d7b411d3e17745217d6cc ejabberd-23.10-1.x86_64.rpm.1 e0d72c62a0bea8a49851cfbc239a2b034304323ce7d6b8b1236bed073693368e ejabberd-23.10-1.x86_64.rpm.2

The first one was downloaded from https://repo.process-one.net/rpm/ejabberd-23.10-1.x86_64.rpm at Oct 18th, the last time the repo signature matched. The .1 one is from the same URL but today (Oct 25th). And the last one is from https://github.com/processone/ejabberd/releases/download/23.10/ejabberd-23.10-1.x86_64.rpm

https://www.process-one.net/downloads/downloads-action.php?file=/23.10/ejabberd-23.10-1.x86_64.rpm.sum informs the last hash (.2).

Strangely, all files have the same size (16751412 bytes).

Metalhearf commented 8 months ago

Hello,

Nice find, I can reproduce it easily.

I reworked this server + our deployment scripts a few days ago: there may have been some glitches (I restarted a few times from scratch). I'm still trying to figure things out (#3984). ;)

I completely regenerated the repo this morning and that seems to have corrected the difference you noticed.

LANG=C gpg --verify repomd.xml.asc repomd.xml  
gpg: Signature made Thu Oct 26 11:22:37 2023 CEST
gpg:                using RSA key 651C08E9330DD31D8D7DF23A6F97DBF7353A8563
gpg: Good signature from "ejabberd <contact@process-one.net>" [ultimate]

I'll keep an eye on the situation for the next releases. Thank you!