Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zip archive and GPG signature don't match for Piwik 2.13.1 #7863

Closed
aureq opened this issue May 8, 2015 · 3 comments
Closed

Zip archive and GPG signature don't match for Piwik 2.13.1 #7863

aureq opened this issue May 8, 2015 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Critical Indicates the severity of an issue is very critical and the issue has a very high priority.

Comments

@aureq
Copy link

aureq commented May 8, 2015

@mattab @mnapoli

Following the missing tar.gzarchive (#7860), I've been trying to improve the Makefile used to generate the Debian package.
During this process, I've discovered that the zip and zip.asc do not match.

Could we please have a look at this ?
md5: 61ef6b4590a1263fa5f31bde89d258e8 piwik-2.13.1.zip
md5: 3825d7752646efac96ddd418d23ad38a piwik-2.13.1.zip.asc
sha256: c7bb651fbd9e8349c47b6fa0a93e8a798a477d5ef8ac9bc9e415d266e24cb5b0 piwik-2.13.1.zip
sha256: adcf61ec86256c666eef7c7547f8d79366e27e3d41c2f07ddbff4253801a9b8c piwik-2.13.1.zip.asc

GPG Error (gpg --verify piwik-2.13.1.zip.asc):
gpg: Signature made Thu 07 May 2015 09:52:31 AEST using RSA key ID 5590A237
gpg: BAD signature from "Matthieu Aubry <matt@piwik.org>"
@aureq aureq added Critical Indicates the severity of an issue is very critical and the issue has a very high priority. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels May 8, 2015
@mnapoli
Copy link
Contributor

mnapoli commented May 8, 2015

See this comment. FYI the release script first uploaded the zip but it failed at 100%, so he started again manually using filezilla IIRC, maybe the difference comes from that.

By the way I feel dumb but I have no idea what is zip.asc ;) If it's just a zip and it should be identical to the .zip file maybe you could try unzipping both of them and compare them (to see if there's any actual difference in files)? (sorry I can't do it myself)

@aureq
Copy link
Author

aureq commented May 9, 2015

Thanks for the heads-up @mnapoli !
Just to let you know it's a blocker for me to publish the latest version of the Debian package.

Cheers

@mattab
Copy link
Member

mattab commented May 12, 2015

Hi @aureq - thanks for the report. This should work now I've repackaged the release with correct signatures. (During last release I had some problems with unreliable internet)

@mattab mattab closed this as completed May 12, 2015
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label May 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Critical Indicates the severity of an issue is very critical and the issue has a very high priority.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattab @mnapoli @aureq