search

sjtug / mirror-requests

新镜像请求 & BUG 汇报
https://mirrors.sjtug.sjtu.edu.cn
49 stars 2 forks source link

[ghcup] 镜像应当包含 SHA256SUMS 及 PGP 签名文件 #365

Closed fghzxm closed 4 months ago

fghzxm commented 5 months ago

GHCup metadata 为每一个 YAML/JSON 文件都提供了相应的 PGP 签名文件。

GHCup 的官方下载网站 在 tarball 所在的目录中也都提供了 SHA256SUMSSHA256SUMS.sig 文件,如:

https://downloads.haskell.org/~ghcup/0.1.22.0/SHA256SUMS
https://downloads.haskell.org/~ghcup/0.1.22.0/SHA256SUMS.sig
https://downloads.haskell.org/~ghcup/unofficial-bindists/ghc/9.10.1/SHA256SUMS
https://downloads.haskell.org/~ghcup/unofficial-bindists/ghc/9.10.1/SHA256SUMS.sig

SJTUG 镜像站似乎缺失了这些文件当中的至少一部分,导致使用 ghcup 时指定 --gpg=strict 选项失败:

$ ghcup --gpg=strict list
[ Info  ] downloading: https://mirror.sjtu.edu.cn/ghcup/yaml/ghcup/data/ghcup-0.0.8.yaml as file /home/fghzxm/.ghcup/cache/ghcup-0.0.8.yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (22) The requested URL returned error: 403 Forbidden
[ Error ] [GHCup-00210] GPG verify failed: Process "curl" with arguments ["--dump-header",
[ ...   ]                                                   "/tmp/curl-header1328708-1", "-H",
[ ...   ]                                                   "If-None-Match: \"d336224a11f1f881f2f8891157a348003a7af7bc253ae1f099555f96c6f2846c\"",
[ ...   ]                                                   "-fL", "-o",
[ ...   ]                                                   "/home/fghzxm/.ghcup/cache/ghcup-0.0.8.yaml.sig.tmp",
[ ...   ]                                                   "https://mirror.sjtu.edu.cn/ghcup/yaml/ghcup/data/ghcup-0.0.8.yaml.sig"] failed with exit code 22.
taoky commented 5 months ago

理想情况下,签名不应该由镜像站提供,而是应该总是从上游拉取。

fghzxm commented 5 months ago

IIUC 签名所用的密钥由上游控制,因此即使从镜像站获取签名,用户也可以确认 tarball 来自上游且没有被篡改?

PhotonQuantum commented 4 months ago

看来上游又一次修改了仓库结构,我们需要再次适配

PhotonQuantum commented 4 months ago

已经修复

PhotonQuantum commented 4 months ago

抱歉,之前的修复可能是有问题的,因为为了支持镜像我们必须重写 yaml 配置,所以签名自然就失效了。这个问题可能暂时没有很好的解决方法,就先暂时不重新打开 issue 了