Bug 215095

Summary: security/gnupg: distinfo error
Product: Ports & Packages Reporter: fmyoen
Component: Individual Port(s)Assignee: Adam Weinberger <adamw>
Status: Closed FIXED    
Severity: Affects Many People CC: fmyoen, mg
Priority: --- Flags: bugzilla: maintainer-feedback? (kuriyama)
Version: Latest   
Hardware: Any   
OS: Any   

Description fmyoen 2016-12-06 10:21:13 UTC 
Hi, it looks like size/SHA256 sum is wrong for gnupg-2.1.16.tar.bz2.sig in distinfo:


# sudo portupgrade -re gnupg-2.1.15
[Reading data from pkg(8) ... - 921 packages found - done]
--->  Upgrading 'gnupg-2.1.15' to 'gnupg-2.1.16' (security/gnupg)
--->  Building '/usr/ports/security/gnupg'
===>  Cleaning for gnupg-2.1.16
===>  License GPLv3 LGPL3 accepted by the user
===>  Found saved configuration for gnupg-2.1.1
===>   gnupg-2.1.16 depends on file: /usr/local/sbin/pkg - found
=> gnupg-2.1.16.tar.bz2.sig doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://artfiles.org/gnupg.org/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: http://artfiles.org/gnupg.org/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch ftp://ftp.sunet.se/pub/security/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://ftp.sunet.se/pub/security/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig: File unavailable (e.g., file not found, no access)
=> Attempting to fetch ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch ftp://mirror.switch.ch/mirror/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://mirror.switch.ch/mirror/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch http://gd.tuwien.ac.at/privacy/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: http://gd.tuwien.ac.at/privacy/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch http://mirrors.dotsrc.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: http://mirrors.dotsrc.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch ftp://ftp.crysys.hu/pub/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://ftp.crysys.hu/pub/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch http://www.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: http://www.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.16.tar.bz2.sig: size mismatch: expected 310, actual 597
=> Attempting to fetch http://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org/gnupg/gnupg-2.1.16.tar.bz2.sig
fetch: http://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org/gnupg/gnupg-2.1.16.tar.bz2.sig: Operation timed out
=> Attempting to fetch ftp://ftp6.ua.freebsd.org/pub/FreeBSD/ports/distfiles/gnupg-2.1.16.tar.bz2.sig
fetch: ftp://ftp6.ua.freebsd.org/pub/FreeBSD/ports/distfiles/gnupg-2.1.16.tar.bz2.sig: File unavailable (e.g., file not found, no access)
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/ and try again.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/gnupg
*** Error code 1

Stop.
make: stopped in /usr/ports/security/gnupg
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20161203-11799-1hr7dj0 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=gnupg-2.1.15 UPGRADE_PORT_VER=2.1.15 make
** Fix the problem and try again.
--->  ** Upgrade tasks 1: 0 done, 0 ignored, 0 skipped and 1 failed
** Listing the failed packages (-:ignored / *:skipped / !:failed)
        ! security/gnupg (gnupg-2.1.15) (fetch error)


# LC_ALL=C wget ftp://mirror.switch.ch/mirror/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig
--2016-12-03 13:06:41--  ftp://mirror.switch.ch/mirror/gnupg/gnupg/gnupg-2.1.16.tar.bz2.sig
           => 'gnupg-2.1.16.tar.bz2.sig'
Resolving mirror.switch.ch (mirror.switch.ch)... 130.59.113.36, 2001:620:0:1002::20
Connecting to mirror.switch.ch (mirror.switch.ch)|130.59.113.36|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /mirror/gnupg/gnupg ... done.
==> SIZE gnupg-2.1.16.tar.bz2.sig ... 597
==> PASV ... done.    ==> RETR gnupg-2.1.16.tar.bz2.sig ... done.
Length: 597 (unauthoritative)

gnupg-2.1.16.tar.bz2.sig                                    100%[========================================================================================================================================>]     597  --.-KB/s    in 0.001s 

2016-12-03 13:06:42 (859 KB/s) - 'gnupg-2.1.16.tar.bz2.sig' saved [597]


# sha256 gnupg-2.1.16.tar.bz2.sig
SHA256 (gnupg-2.1.16.tar.bz2.sig) = b00b297eed7dcbbb259e960b9e4442de031124f41ea870efa5e7a367a9779fa7


# ls -lA gnupg-2.1.16.tar.bz2.sig
-rw-r--r--  1 tapochkin  tapochkin  597 Dec  3 13:06 gnupg-2.1.16.tar.bz2.sig


# grep "gnupg-2.1.16.tar.bz2.sig" /usr/ports/security/gnupg/distinfo
SHA256 (gnupg-2.1.16.tar.bz2.sig) = 91dd1279956a533a721f3e2dc06a092248cea8bd9a5259dc19f8d7573c1d3d12
SIZE (gnupg-2.1.16.tar.bz2.sig) = 310


# ls -lA /usr/ports/security/gnupg/distinfo
-rw-r--r--  1 root  wheel  297 Nov 22 09:22 /usr/ports/security/gnupg/distinfo
Comment 1 fmyoen 2016-12-06 10:23:42 UTC 
I've also contacted maintainer by e-mail from freshports page. Here is his reply:


> Hi, it looks like size/SHA256 sum is wrong for gnupg-2.1.16.tar.bz2.sig in
> distinfo:

It seems to be re-rolled. It's still available on distcache though:

=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/gnupg-2.1.16.tar.bz2.sig
gnupg-2.1.16.tar.bz2.sig                      100% of  310  B 4260 kBps 00m00s

It looks like they've added one more (expired?) signature.

$ gpg2 --verify gnupg-2.1.16.tar.bz2.sig.orig /usr/ports/distfiles/gnupg-2.1.16.tar.bz2
gpg: Signature made пятница, 18 ноября 2016 г. 18:58:06
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [ultimate]

$ gpg2 --verify gnupg-2.1.16.tar.bz2.sig /usr/ports/distfiles/gnupg-2.1.16.tar.bz2
gpg: Signature made пятница, 18 ноября 2016 г. 18:58:06
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [ultimate]
gpg: Signature made суббота, 19 ноября 2016 г. 07:18:00
gpg:                using RSA key 2071B08A33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06

I guess I'll ask on the gnupg-devel maillist.

PS In the meantime, I suggest you opening a PR, I don't really maintain
security/gnupg.
Comment 2 Marcin Gryszkalis 2016-12-11 01:45:19 UTC 
Proposed patch for new sig in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215043
Comment 3 Adam Weinberger freebsd_committer freebsd_triage 2017-02-13 04:48:24 UTC 
The .sig files kept getting re-rolled, and I wound up removing them entirely.