View Issue Details

IDProjectCategoryView StatusLast Update
0026950mantisbtinstallationpublic2020-06-22 06:29
Reporterthomasjfox Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Product Version2.24.1 
Summary0026950: Can't verify gpg signature 2.24.1 release tarball
Description

Thanks for providing gpg keys to check the signature of a mantis release.
For some unknown reason the gpg signature of mantisbt-2.24.1.tar.gz doesn't check out:

$ gpg2 --verify mantisbt-2.24.1.tar.gz.asc mantisbt-2.24.1.tar.gz
gpg: Signature made Sun 03 May 2020 10:29:05 AM CEST
gpg: using RSA key 5769AA4978E571A7BADB2A4DD4EAE2390A45E2D6
gpg: BAD signature from "keybase.io/vboctor <vboctor@keybase.io>" [ultimate]

Interestingly the signature for the ZIP archive is ok:

$ gpg2 --verify mantisbt-2.24.1.zip.asc mantisbt-2.24.1.zip
gpg: Signature made Sun 03 May 2020 10:29:06 AM CEST
gpg: using RSA key 5769AA4978E571A7BADB2A4DD4EAE2390A45E2D6
gpg: Good signature from "keybase.io/vboctor <vboctor@keybase.io>" [ultimate]

No content has been tampered with:
diff -u -r -p mantisbt-2.24.1.from-zip/ mantisbt-2.24.1.from-tar/

Checksums of the files:

$ shasum mantisbt*
f4ecf2ef8316e530bcfe501a0068110f28361b8d mantisbt-2.24.1.tar.gz
023988a9c8fe1602022a840d9feedee94230e323 mantisbt-2.24.1.tar.gz.asc
$ shasum -c mantisbt-2.24.1.tar.gz.digests
mantisbt-2.24.1.tar.gz: OK

I also tried if f.e. the signature was just for mantisbt-2.24.1.tar instead of mantisbt-2.24.1.tar.gz
or if the xx.digest file was signed by accident.

Can someone reproduce the issue?

TagsNo tags attached.

Relationships

related to 0022269 closeddregad Public key for verification should be available 

Activities

thomasjfox

thomasjfox

2020-05-09 06:32

reporter   ~0063965

Related gpg key issue (I can't add related issues myself):
https://mantisbt.org/bugs/view.php?id=22269

dregad

dregad

2020-05-11 04:00

developer   ~0063967

I confirm the problem with the bad signature for the tarball.

Our standard release publication process relies on a script to build the zip/tarballs, then generate the corresponding ASCII-armored signature files, so I really can't explain why one of them is valid while the other is not... Very strange. Maybe @vboctor signed the release manually, or errors occured during script execution, and he failed to notice.

Anyway he's the only one who can fix this.

jweberhofer

jweberhofer

2020-05-14 08:49

reporter   ~0063982

Would be great, @vboctor if you could correctly sing the file!

jweberhofer

jweberhofer

2020-06-22 06:29

reporter   ~0064117

ping.