Closed luizluca closed 8 months ago
I have 3 different files that should be the same:
75526d9da74a8f56bad86b77275af50d4e30a341207ff78aebd04d8074212fd7 ejabberd-23.10-1.x86_64.rpm d7d49d2a4300421104d6ad020abc01c028f6388ad30d7b411d3e17745217d6cc ejabberd-23.10-1.x86_64.rpm.1 e0d72c62a0bea8a49851cfbc239a2b034304323ce7d6b8b1236bed073693368e ejabberd-23.10-1.x86_64.rpm.2
The first one was downloaded from https://repo.process-one.net/rpm/ejabberd-23.10-1.x86_64.rpm at Oct 18th, the last time the repo signature matched. The .1 one is from the same URL but today (Oct 25th). And the last one is from https://github.com/processone/ejabberd/releases/download/23.10/ejabberd-23.10-1.x86_64.rpm
https://www.process-one.net/downloads/downloads-action.php?file=/23.10/ejabberd-23.10-1.x86_64.rpm.sum informs the last hash (.2).
Strangely, all files have the same size (16751412 bytes).
Hello,
Nice find, I can reproduce it easily.
I reworked this server + our deployment scripts a few days ago: there may have been some glitches (I restarted a few times from scratch). I'm still trying to figure things out (#3984). ;)
I completely regenerated the repo this morning and that seems to have corrected the difference you noticed.
LANG=C gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Thu Oct 26 11:22:37 2023 CEST
gpg: using RSA key 651C08E9330DD31D8D7DF23A6F97DBF7353A8563
gpg: Good signature from "ejabberd <contact@process-one.net>" [ultimate]
I'll keep an eye on the situation for the next releases. Thank you!
Although the RPM signature is OK:
The repomd.xml does not verify, even with key marked as ultimately trusted: