On Wed, Apr 11, 2018 at 08:45:40PM +0200, Paul de Weerd wrote: > Hi Peter,
Hello Paul, > I downloaded those exact two files from the same IP addresses and the > signature verified OK for me: > > [weerd@pom] $ ftp -4 https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/i > > > Trying 193.156.26.18... > Requesting > https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso > 100% |**************************************************| 339 MB 01:41 > 355909632 bytes received in 101.67 seconds (3.34 MB/s) > [weerd@pom] $ nBSD/snapshots/amd64/SHA256.sig > < > Trying 193.156.26.18... > Requesting > https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256.sig > 100% |**************************************************| 2152 00:00 > 2152 bytes received in 0.00 seconds (1.02 MB/s) > [weerd@pom] $ sd-63-base.pub -x SHA256.sig install63.iso > < > Signature Verified > install63.iso: OK > > (Note that I forced IPv4 as IPv6 was rather slow for me, but both > addresses match what your dig gave you). > > So, some options: > > Maybe you caught the mirror mid-update. Perhaps a bit fell over due > to cosmic radiation hitting your machine at the wrong moment, > affecting a bit of RAM. Maybe your storage medium is dying. > > Could be various reasons why it failed; can you try again and see if > it still fails? Try also on another machine, if you have one around. > I got WxAW3clMg3BLs/NBq58q9lMGlWFQLAOW5ToeltQlSyU= as a sha256 hash. > > Cheers, > > Paul 'WEiRD' de Weerd So I re-downloaded this file on another machine. It turned out to have your checksum (sha256 -b) and upon downloading another SHA256.sig it signify'ed correctly. But this leads me to ask questions: 1. doesn't the https mode ftp use some sort of authentication/integrity checking while it's downloading? It's encrypted and anyone with a bit of knowledge knows that if encryption is changed in-flight it will flip bits, but with a MAC/HMAC/GMAC it should detect any anomalies. Does ftp not check for this? 2. I use quite recently a new unencrypted wifi network but I have IPSEC enabled which uses aes-256 and auth hmac-sha2-256: SAD: esp tunnel from fd43:5602:29bd:16:0:dead:beef:16 to fd43:5602:29bd:16:0:dead:beef:1 spi 0x6ab04db8 auth hmac-sha2-256 enc aes-256 esp tunnel from fd43:5602:29bd:16:0:dead:beef:1 to fd43:5602:29bd:16:0:dead:beef:16 spi 0x780a14d0 auth hmac-sha2-256 enc aes-256 It is entirely possible that my IPSEC was off minutely and the gif tunnel inside it was not protected, but there was still the https... 3. The argument that this may have been modified by ftpmirror (or similar software) is good but I stat'ed the file and it's larger than what was downloaded by us on the second try. A cmp -l shows a lot of differences... here is the stat: theta$ touch test theta$ date Wed Apr 11 21:45:16 CEST 2018 theta$ stat test 1034 8616981 -rw-r--r-- 1 pjp pjp 0 0 "Apr 11 21:45:15 2018" "Apr 11 21:45:15 2018" "Apr 11 21:45:15 2018" 32768 0 0 test theta$ stat install63.iso 1034 8616961 -rw-r--r-- 1 pjp pjp 34424768 355905536 "Apr 11 20:59:23 2018" "Apr 11 19:33:47 2018" "Apr 11 19:33:47 2018" 32768 695360 0 install63.iso I did mount this iso with vnconfig is it possible that it was modified then? (and grew?). 4. Is it possible that there was an attack on the OpenBSD network infrastructure? 5. Or mine? Best regards, -peter
