Closed remicollet closed 1 year ago
Thank you @remicollet for the report!
@maxirmx could you please help address this issue? This is urgent. Thanks!
This is caused by git submodule for sexp, which is not included into the Github's automatic release snapshot. I uploaded archives with all sources, waiting for signatures upload.
@ni4 looking at https://github.com/rnpgp/rnp/releases/tag/v0.17.0
Indeed, I see new files uploaded a few minutes ago..., but
Archive name seems strange: rnp-0.17.0.tar.gz
=> rnp-v0.17.0.tar.gz
And content seems very very strange, top directory name: rnp-0.17.0
=> rnp0-0.17.0-Source
$ tar tf rnp-0.17.0.tar.gz | head -n3
rnp-0.17.0/
rnp-0.17.0/.cirrus.yml
rnp-0.17.0/.clang-format
$ tar tf rnp-v0.17.0.tar.gz | head -n3
rnp0-0.17.0-Source/LICENSE.md
rnp0-0.17.0-Source/flake.lock
rnp0-0.17.0-Source/CMakeLists.txt
@remicollet Ahh, thanks for pointing at this. I uploaded those files, using output of CPack. Missed that it has inner folder structure. Will re-upload.
Re-uploaded, updated signatures should be added soon as well. The issue here is that Github doesn't include Git submodules into automatically-generated snapshots, so full package should be added manually or via CI/CD. Here the naming difference came from.
New files have libsexp missing again Signature not updated (after 14h)
So archive is unusable :(
Hi, @remicollet
New file has libsexp
in /rnp-v0.17.0/src/libsexp
It looks usable (when signature is updated)
[maxirmx@MSS-WS-N Projects]$ tar xf rnp-0.17.0.tar.gz
[maxirmx@MSS-WS-N Projects]$ cd rnp-v0.17.0
[maxirmx@MSS-WS-N rnp-v0.17.0]$ cmake -B build -DBUILD_SHARED_LIBS=ON -DBUILD_TESTING=OFF
-- Found version.txt with 0.17.0
-- Found Git: /usr/bin/git (found version "2.39.1")
-- Found no annotated tags.
-- RNP_VERSION: 0.17.0
-- RNP_VERSION_NCOMMITS: 0
-- RNP_VERSION_GIT_REV: 0
-- RNP_VERSION_IS_DIRTY: FALSE
-- RNP_VERSION_COMMIT_TIMESTAMP: 0
-- RNP_VERSION_SUFFIX:
-- RNP_VERSION_FULL: 0.17.0
-- The C compiler identification is GNU 4.8.5
-- The CXX compiler identification is GNU 4.8.5
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found version.txt with 0.8.2
-- Found no annotated tags.
-- SEXP_VERSION: 0.8.2
-- SEXP_VERSION_NCOMMITS: 0
-- SEXP_VERSION_GIT_REV: 0
-- SEXP_VERSION_IS_DIRTY: FALSE
-- SEXP_VERSION_COMMIT_TIMESTAMP: 0
-- SEXP_VERSION_SUFFIX:
-- SEXP_VERSION_FULL: 0.8.2
-- Building Release configuration
-- Found BZip2: /usr/lib64/libbz2.so (found version "1.0.6")
-- Looking for BZ2_bzCompressInit
-- Looking for BZ2_bzCompressInit - found
-- Found ZLIB: /usr/lib64/libz.so (found version "1.2.7")
-- Found JSON-C: /usr/lib64/libjson-c.so (found suitable version "0.11", minimum required is "0.11")
-- Found Botan2: /usr/lib64/libbotan-2.so (found suitable version "2.16.0", minimum required is "2.14.0")
-- Looking for C++ include fcntl.h
-- Looking for C++ include fcntl.h - found
-- Looking for C++ include inttypes.h
-- Looking for C++ include inttypes.h - found
-- Looking for C++ include limits.h
-- Looking for C++ include limits.h - found
-- Looking for C++ include stdint.h
-- Looking for C++ include stdint.h - found
-- Looking for C++ include string.h
-- Looking for C++ include string.h - found
-- Looking for C++ include sys/cdefs.h
-- Looking for C++ include sys/cdefs.h - found
-- Looking for C++ include sys/cdefs.h
-- Looking for C++ include sys/cdefs.h - found
-- Looking for C++ include sys/resource.h
-- Looking for C++ include sys/resource.h - found
-- Looking for C++ include sys/stat.h
-- Looking for C++ include sys/stat.h - found
-- Looking for C++ include sys/types.h
-- Looking for C++ include sys/types.h - found
-- Looking for C++ include sys/param.h
-- Looking for C++ include sys/param.h - found
-- Looking for C++ include unistd.h
-- Looking for C++ include unistd.h - found
-- Looking for C++ include sys/wait.h
-- Looking for C++ include sys/wait.h - found
-- Looking for mkdtemp
-- Looking for mkdtemp - found
-- Looking for mkstemp
-- Looking for mkstemp - found
-- Looking for realpath
-- Looking for realpath - found
-- Looking for O_BINARY
-- Looking for O_BINARY - not found
-- Looking for _O_BINARY
-- Looking for _O_BINARY - not found
-- Looking for _tempnam
-- Looking for _tempnam - not found
-- Looking for BOTAN_HAS_BIGINT
-- Looking for BOTAN_HAS_BIGINT - found
-- Looking for BOTAN_HAS_FFI
-- Looking for BOTAN_HAS_FFI - found
-- Looking for BOTAN_HAS_HEX_CODEC
-- Looking for BOTAN_HAS_HEX_CODEC - found
-- Looking for BOTAN_HAS_PGP_S2K
-- Looking for BOTAN_HAS_PGP_S2K - found
-- Looking for BOTAN_HAS_BLOCK_CIPHER
-- Looking for BOTAN_HAS_BLOCK_CIPHER - found
-- Looking for BOTAN_HAS_AES
-- Looking for BOTAN_HAS_AES - found
-- Looking for BOTAN_HAS_CAMELLIA
-- Looking for BOTAN_HAS_CAMELLIA - found
-- Looking for BOTAN_HAS_DES
-- Looking for BOTAN_HAS_DES - found
-- Looking for BOTAN_HAS_MODE_CBC
-- Looking for BOTAN_HAS_MODE_CBC - found
-- Looking for BOTAN_HAS_MODE_CFB
-- Looking for BOTAN_HAS_MODE_CFB - found
-- Looking for BOTAN_HAS_AUTO_RNG
-- Looking for BOTAN_HAS_AUTO_RNG - found
-- Looking for BOTAN_HAS_AUTO_SEEDING_RNG
-- Looking for BOTAN_HAS_AUTO_SEEDING_RNG - found
-- Looking for BOTAN_HAS_HMAC
-- Looking for BOTAN_HAS_HMAC - found
-- Looking for BOTAN_HAS_HMAC_DRBG
-- Looking for BOTAN_HAS_HMAC_DRBG - found
-- Looking for BOTAN_HAS_CRC24
-- Looking for BOTAN_HAS_CRC24 - found
-- Looking for BOTAN_HAS_HASH
-- Looking for BOTAN_HAS_HASH - found
-- Looking for BOTAN_HAS_MD5
-- Looking for BOTAN_HAS_MD5 - found
-- Looking for BOTAN_HAS_SHA1
-- Looking for BOTAN_HAS_SHA1 - found
-- Looking for BOTAN_HAS_SHA2_32
-- Looking for BOTAN_HAS_SHA2_32 - found
-- Looking for BOTAN_HAS_SHA2_64
-- Looking for BOTAN_HAS_SHA2_64 - found
-- Looking for BOTAN_HAS_SHA3
-- Looking for BOTAN_HAS_SHA3 - found
-- Looking for BOTAN_HAS_DL_GROUP
-- Looking for BOTAN_HAS_DL_GROUP - found
-- Looking for BOTAN_HAS_DL_PUBLIC_KEY_FAMILY
-- Looking for BOTAN_HAS_DL_PUBLIC_KEY_FAMILY - found
-- Looking for BOTAN_HAS_ECC_GROUP
-- Looking for BOTAN_HAS_ECC_GROUP - found
-- Looking for BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO
-- Looking for BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO - found
-- Looking for BOTAN_HAS_PUBLIC_KEY_CRYPTO
-- Looking for BOTAN_HAS_PUBLIC_KEY_CRYPTO - found
-- Looking for BOTAN_HAS_CURVE_25519
-- Looking for BOTAN_HAS_CURVE_25519 - found
-- Looking for BOTAN_HAS_DSA
-- Looking for BOTAN_HAS_DSA - found
-- Looking for BOTAN_HAS_ECDH
-- Looking for BOTAN_HAS_ECDH - found
-- Looking for BOTAN_HAS_ECDSA
-- Looking for BOTAN_HAS_ECDSA - found
-- Looking for BOTAN_HAS_ED25519
-- Looking for BOTAN_HAS_ED25519 - found
-- Looking for BOTAN_HAS_ELGAMAL
-- Looking for BOTAN_HAS_ELGAMAL - found
-- Looking for BOTAN_HAS_RSA
-- Looking for BOTAN_HAS_RSA - found
-- Looking for BOTAN_HAS_EME_PKCS1v15
-- Looking for BOTAN_HAS_EME_PKCS1v15 - found
-- Looking for BOTAN_HAS_EMSA_PKCS1
-- Looking for BOTAN_HAS_EMSA_PKCS1 - found
-- Looking for BOTAN_HAS_EMSA_RAW
-- Looking for BOTAN_HAS_EMSA_RAW - found
-- Looking for BOTAN_HAS_KDF_BASE
-- Looking for BOTAN_HAS_KDF_BASE - found
-- Looking for BOTAN_HAS_RFC3394_KEYWRAP
-- Looking for BOTAN_HAS_RFC3394_KEYWRAP - found
-- Looking for BOTAN_HAS_SP800_56A
-- Looking for BOTAN_HAS_SP800_56A - found
-- Looking for BOTAN_HAS_SM2
-- Looking for BOTAN_HAS_SM2 - found
-- Looking for BOTAN_HAS_SM3
-- Looking for BOTAN_HAS_SM3 - found
-- Looking for BOTAN_HAS_SM4
-- Looking for BOTAN_HAS_SM4 - found
-- Looking for BOTAN_HAS_AEAD_EAX
-- Looking for BOTAN_HAS_AEAD_EAX - found
-- Looking for BOTAN_HAS_AEAD_OCB
-- Looking for BOTAN_HAS_AEAD_OCB - found
-- Looking for BOTAN_HAS_TWOFISH
-- Looking for BOTAN_HAS_TWOFISH - found
-- Looking for BOTAN_HAS_IDEA
-- Looking for BOTAN_HAS_IDEA - found
-- Looking for BOTAN_HAS_BLOWFISH
-- Looking for BOTAN_HAS_BLOWFISH - found
-- Looking for BOTAN_HAS_CAST_128
-- Looking for BOTAN_HAS_CAST_128 - found
-- Looking for BOTAN_HAS_RIPEMD_160
-- Looking for BOTAN_HAS_RIPEMD_160 - found
-- Performing Test COMPILER_HAS_HIDDEN_VISIBILITY
-- Performing Test COMPILER_HAS_HIDDEN_VISIBILITY - Success
-- Performing Test COMPILER_HAS_HIDDEN_INLINE_VISIBILITY
-- Performing Test COMPILER_HAS_HIDDEN_INLINE_VISIBILITY - Success
-- Performing Test COMPILER_HAS_DEPRECATED_ATTR
-- Performing Test COMPILER_HAS_DEPRECATED_ATTR - Success
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.27.1")
-- Configuring done
-- Generating done
-- Build files have been written to: /home/maxirmx/Projects/rnp-v0.17.0/build
Could you please clarify the issue you have ? Thank you
There is probably some github cache issue
And
+ /usr/lib/rpm/redhat/gpgverify --keyring=/work/fedora/rnp/rnp-keyring.gpg --signature=/work/fedora/rnp/v0.17.0.tar.gz.asc --data=/work/fedora/rnp/rnp-v0.17.0.tar.gz
gpgv: Signature made Tue May 2 10:08:59 2023 CEST
gpgv: using EDDSA key 50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F
gpgv: BAD signature from "RNPGP Release Signing Key <rnpgp@ribose.com>"
gpgverify: Signature verification failed.
error: Bad exit status from /var/tmp/rpm-tmp.H4QNog (%prep)
Correct, the signatire has not been updated.
Can you make us a favor - download/untar rnp-v0.17.0.tar.gz without signature verification and check if cmake configuration step passes ?
Signature updated. Thanks @remicollet !
Going crazy.... Signature is updated... but not the tarball...
+ /usr/lib/rpm/redhat/gpgverify --keyring=/work/fedora/rnp/rnp-keyring.gpg --signature=/work/fedora/rnp/v0.17.0.tar.gz.asc --data=/work/fedora/rnp/rnp-v0.17.0.tar.gz
gpgv: Signature made Wed May 3 08:48:56 2023 CEST
gpgv: using EDDSA key 50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F
gpgv: BAD signature from "RNPGP Release Signing Key <rnpgp@ribose.com>"
gpgverify: Signature verification failed.
(previous message have Tue May 2 10:08:59 2023 CEST, this one have Wed May 3 08:48:56 2023 CEST)
Can you please confirm the expected sizes/checksums?
$ ll rnp-v0.17.0.tar.gz v0.17.0.tar.gz.asc
-rw-r--r--. 1 extras remi 3083098 May 2 17:34 rnp-v0.17.0.tar.gz
-rw-r--r--. 1 extras remi 228 May 3 08:49 v0.17.0.tar.gz.asc
$ sha256sum rnp-v0.17.0.tar.gz v0.17.0.tar.gz.asc
04d29fe9a20c56bb7ff4d77bc761b91f1f96462efd3b29d4d1d40262ce4eb782 rnp-v0.17.0.tar.gz
becd004cf6089677eb17197fac04cfc42cbd4bffd1abcbd678ece93bb8046c56 v0.17.0.tar.gz.asc
The same
[maxirmx@MSS-WS-N Projects]$ ll *17*
-rwxrwxr-x 1 maxirmx maxirmx 3083098 May 3 11:27 rnp-v0.17.0.tar.gz
-rwxrwxr-x 1 maxirmx maxirmx 228 May 3 11:24 v0.17.0.tar.gz.asc
[maxirmx@MSS-WS-N Projects]$ sha256sum rnp-v0.17.0.tar.gz v0.17.0.tar.gz.asc
04d29fe9a20c56bb7ff4d77bc761b91f1f96462efd3b29d4d1d40262ce4eb782 rnp-v0.17.0.tar.gz
becd004cf6089677eb17197fac04cfc42cbd4bffd1abcbd678ece93bb8046c56 v0.17.0.tar.gz.asc
And gpg check ?
$ gpg --verify v0.17.0.tar.gz.asc rnp-v0.17.0.tar.gz
gpg: Signature made Wed May 3 08:48:56 2023 CEST
gpg: using EDDSA key 50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F
gpg: BAD signature from "RNPGP Release Signing Key <rnpgp@ribose.com>" [unknown]
@remicollet Sorry, let me check again...
I notice v0.17.0.zip.asc
was replaced by rnp-v0.17.0.zip.asc
Using the new file:
$ gpg --verify rnp-v0.17.0.tar.gz.asc
gpg: assuming signed data in 'rnp-v0.17.0.tar.gz'
gpg: Signature made Wed May 3 12:38:25 2023 CEST
gpg: using EDDSA key 50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F
gpg: Good signature from "RNPGP Release Signing Key <rnpgp@ribose.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 31AF 5A24 D861 EFCB 7CB7 9A19 2490 0CE0 AEFB 5417
Subkey fingerprint: 50DA 59D5 B913 4FA2 DB1E B20C FB82 9AB5 D0FE 017F
And build passes (with old GCC 12, not with GCC 13 but this is another issue #2074)
@remicollet Yes, we have just modified the tooling to make sure signatures and checksums pass (accommodating alternative package names). Was preparing this reply and you beat me to it :p
$ nix run github:rnpgp/release-sign -- -V --repo rnpgp/rnp --gpg -v 0.17.0 -t rnp-v0.17.0.tar.gz -z rnp-v0.17.0.zip verify-remote
📥 Downloading https://github.com/rnpgp/rnp/releases/download/v0.17.0/rnp-v0.17.0.tar.gz.asc to rnp-v0.17.0.tar.gz.asc
📥 Downloading https://github.com/rnpgp/rnp/releases/download/v0.17.0/rnp-v0.17.0.zip.asc to rnp-v0.17.0.zip.asc
📥 Downloading https://github.com/rnpgp/rnp/releases/download/v0.17.0/rnp-v0.17.0.sha256 to rnp-v0.17.0.sha256
📥 Downloading https://github.com/rnpgp/rnp/releases/download/v0.17.0/rnp-v0.17.0.tar.gz to rnp-v0.17.0.tar.gz
📥 Downloading https://github.com/rnpgp/rnp/releases/download/v0.17.0/rnp-v0.17.0.zip to rnp-v0.17.0.zip
sha256sum --quiet -c rnp-v0.17.0.sha256
gpg --verify rnp-v0.17.0.tar.gz.asc /Users/zoonfafer/share/src/release-sign/rnp-v0.17.0.tar.gz
gpg: Signature made Wed May 3 18:38:25 2023 HKT
gpg: using EDDSA key 50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F
gpg: Good signature from "RNPGP Release Signing Key <rnpgp@ribose.com>" [ultimate]
gpg --verify rnp-v0.17.0.zip.asc /Users/zoonfafer/share/src/release-sign/rnp-v0.17.0.zip
gpg: Signature made Wed May 3 18:38:26 2023 HKT
gpg: using EDDSA key 50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F
gpg: Good signature from "RNPGP Release Signing Key <rnpgp@ribose.com>" [ultimate]
✅ Signatures are verified
Cheers!
I guess this one can be closed
Description
Using official tarball
cmake fails with :
Steps to Reproduce
cmake -DCRYPTO_BACKEND:STRING=openssl -DDOWNLOAD_GTEST:BOOL=OFF -DDOWNLOAD_RUBYRNP:BOOL=OFF
Expected Behavior
Passes
Actual Behavior
Fails