SHA1 sig is wrong in the last release

bvn13 · 17 March 2022 08:23

What’s wrong with SHA1 signature given on the last ISO of Gnome Release?

I have downloaded 2 versions of ISO: from torrent and from CDN directly.

-rw-r--r--. 1 bvn13 bvn13 3519092736 Mar 17 11:13 manjaro-gnome-21.2.4-220301-linux515-direct-download.iso
-rw-r--r--. 1 bvn13 bvn13 3519021056 Mar 17 11:07 manjaro-gnome-21.2.4-220301-linux515.iso

Sizes are different!

— ~/install $ sha1hmac manjaro-gnome-21.2.4-220301-linux515-direct-download.iso 
b0c4f5c2ffe85677b7284c817f56d8d7ccbee43c  manjaro-gnome-21.2.4-220301-linux515-direct-download.iso
— ~/install $ sha1hmac manjaro-gnome-21.2.4-220301-linux515.iso
3f9347e1db818ff508c5227dd6c4f50840628ed6  manjaro-gnome-21.2.4-220301-linux515.iso

Every signature is different from that you specified on Download page: SHA1: 2bae9c69ce16f69d1fdf05e6845fb6e3ba30dee4

What’s going on?

mithrial · 17 March 2022 09:51

$ sha1sum manjaro-gnome-21.2.4-220301-linux515* 

2bae9c69ce16f69d1fdf05e6845fb6e3ba30dee4  manjaro-gnome-21.2.4-220301-linux515-cdn.iso
2bae9c69ce16f69d1fdf05e6845fb6e3ba30dee4  manjaro-gnome-21.2.4-220301-linux515-torrent.iso

$  gpg --verify manjaro-gnome-21.2.4-220301-linux515.iso.sig manjaro-gnome-21.2.4-220301-linux515-torrent.iso
gpg: Signature made Tue Mar  1 03:32:33 2022 CET
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

$ gpg --verify manjaro-gnome-21.2.4-220301-linux515.iso.sig manjaro-gnome-21.2.4-220301-linux515-cdn.iso
gpg: Signature made Tue Mar  1 03:32:33 2022 CET
gpg:                using RSA key 3B794DE6D4320FCE594F4171279E7CF5D8D56EC8
gpg: Good signature from "Manjaro Build Server <build@manjaro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3B79 4DE6 D432 0FCE 594F  4171 279E 7CF5 D8D5 6EC8

$ sha1sum --strict --check manjaro-gnome-21.2.4-220301-linux515.iso.sha1
manjaro-gnome-21.2.4-220301-linux515-cdn.iso: OK
manjaro-gnome-21.2.4-220301-linux515-torrent.iso: OK

$ sha256sum --strict --check manjaro-gnome-21.2.4-220301-linux515.iso.sha256
manjaro-gnome-21.2.4-220301-linux515-cdn.iso: OK
manjaro-gnome-21.2.4-220301-linux515-torrent.iso: OK

Looks good to me.

bvn13 · 17 March 2022 13:39

Could you provide me with the links of your files please?

mithrial · 17 March 2022 14:07

I have downloaded it from here:

https://download.manjaro.org/gnome/21.2.4/manjaro-gnome-21.2.4-220301-linux515.iso
https://download.manjaro.org/gnome/21.2.4/manjaro-gnome-21.2.4-220301-linux515.iso.sha1
https://download.manjaro.org/gnome/21.2.4/manjaro-gnome-21.2.4-220301-linux515.iso.sha256

And the torrent

https://download.manjaro.org/gnome/21.2.4/manjaro-gnome-21.2.4-220301-linux515.iso.torrent

Also, I don’t know where you got that sha1hmac tool from, but you should should sha1sum (there is not HMAC here).

bvn13 · 18 March 2022 11:29

Oh, it was my fault.

— ~/install $ sha1sum manjaro-gnome-21.2.4-220301-linux515.iso 
9210b5ce91dd31d0d0f6a4de39896e949620650f  manjaro-gnome-21.2.4-220301-linux515.iso
— ~/install $ sha1sum manjaro-gnome-21.2.4-220301-linux515-direct-download.iso 
2bae9c69ce16f69d1fdf05e6845fb6e3ba30dee4  manjaro-gnome-21.2.4-220301-linux515-direct-download.iso

And the file downloaded from torrent is broken.

system · 21 March 2022 01:30

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.