> On 21/06/17 13:48, Jonathan K. Bullard wrote: >> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen <sam...@openvpn.net> >> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. >>> It >>> can be downloaded from here: >>> >>> <http://openvpn.net/index.php/open-source/downloads.html> >> >> Hi. Thanks for this release. >> >> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2 >> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz >> fails with: >> >> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc >> >> gpg: armor header: Version: GnuPG v1 >> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz' >> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT >> gpg: using RSA key D72AF3448CC2B034 >> gpg: using subkey D72AF3448CC2B034 instead of primary key >> 12F5F7B42F2B01E7 >> gpg: using pgp trust model >> gpg: BAD signature from "OpenVPN - Security Mailing List >> <secur...@openvpn.net>" [unknown] >> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096 >> >> The SHA256 ofopenvpn-2.4.3.tar.gz is >> 84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b >> >> The SHA256 of openvpn-2.4.3.tar.gz.asc is >> 695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437 >> >> The files were downloaded from >> https://openvpn.net/index.php/open-source/downloads.html at about >> 10:24 UCT today from the New York City area. >> >> For reference, here is the output from verifying 2.3.17: >> >> $ gpg2 -v --verify >> /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc >> >> gpg: armor header: Version: GnuPG v1 >> gpg: assuming signed data in >> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz' >> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT >> gpg: using RSA key D72AF3448CC2B034 >> gpg: using subkey D72AF3448CC2B034 instead of primary key >> 12F5F7B42F2B01E7 >> gpg: using pgp trust model >> gpg: Good signature from "OpenVPN - Security Mailing List >> <secur...@openvpn.net>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B >> 01E7 >> Subkey fingerprint: B596 06E2 D8C6 E10B 80BE 2B31 D72A F344 8CC2 >> B034 >> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096 >> >> Any ideas or suggestions? > > I believe it is Cloudflare playing tricks on us again. > > Attached are the proper signature files and below a list of the SHA256 > checksums: > > d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 > openvpn-2.3.17.tar.xz > b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29 > openvpn-2.3.17.tar.xz.asc > 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571 > openvpn-2.4.3.tar.xz > 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210 > openvpn-2.4.3.tar.xz.asc > > This is based on the files I've already pushed to the Fedora builder > (koji), which
I have the following sums: af806c47623aa1d8246cf0790984766f61c8d0a63ea0b04127ff5c6c65e46088 openvpn-2.3.17.tar.gz d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3 openvpn-2.3.17.tar.xz cee3d3ca462960a50a67c0ebd186e01b6d13db70275205663695152c9aca8579 openvpn-2.4.3.tar.gz 15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb openvpn-2.4.3.tar.xz So 2.3.17 seems fine but what about 2.4.3? What is the real final check sum for openvpn-2.4.3.tar.gz and openvpn-2.4.3.tar.xz? Thanks, Simon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
