On Fri 07-10-12 16:18, Lasse Kliemann wrote: > The file at > http://www.openssl.org/./source/openssl-0.9.8f.tar.gz.sha1 > contains the checksum > > 0a0a3fd9be3d46053df2e91b6eb8a3b4348c793c > > whereas the file at http://www.openssl.org/source/openssl-0.9.8f.tar.gz (even > after repeated download) has SHA1 checksum > > e8716370093b112763ace0c66c06a0d6049e413b > > The published OpenPGP signature > http://www.openssl.org/source/openssl-0.9.8f.tar.gz.asc was made with key > 0x2719AF35 and matches for the tarball. But previous releases were signed > with key 0xF295C759. > > This looks kind of suspicious to me. However, why would an attacker replace > the OpenPGP signature and not the SHA1 checksum? > > Hopefully, there is a simple explanation for this.
That's not the only problem. As of a few minutes ago, there were two versions of the "openssl-0.9.8f.tar.gz.asc" file, one on the ftp server and another on the web server. Both are signed by the same key (which is *not* the key used for previous releases), but the one on the ftp server is incorrect. But that appears to have been corrected now (while I was writing this message). Also, the "openssl-0.9.8f.tar.gz.asc" file is actually a *binary* signature, not an ASCII signature as the name implies. (Previous *.asc files have been ASCII signatures.) -- Keith Thompson <[EMAIL PROTECTED]> San Diego Supercomputer Center <http://users.sdsc.edu/~kst/> 858-822-0853 "We must do something. This is something. Therefore, we must do this." -- Antony Jay and Jonathan Lynn, "Yes Minister" ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
