> From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Dr. 
> Matthias St. Pierre
> Sent: Monday, 28 December, 2020 11:50

> I have no experience with zsh, but it seems that quoting is handled
> differently by zsh?

Is the problem that quoting is handled differently, or that he actually had 
Unicode left-double-quote and right-double-quote characters there rather than 
proper ASCII double-quote characters? That's how it appears in the message as I 
received it.

> At least it looks like the double quotes ended up in the GET line

Agreed.

> and you simply received an HTTP 404 Not Found (which is the reason why your
> digest isn’t correct.)

Agreed.

I'll add: Don't check the checksum. Check the signature:

1. Install an OpenPGP implementation such as gpg, if you don't already have 
one. (One may come with macOS; I have no idea.)

2. Download the .asc file corresponding to the tarball you downloaded.

3. Check the signature. With gpg2, for example:

   $ gpg2 --verify openssl-1.1.1i.tar.gz.asc openssl-1.1.1i.tar.gz
   gpg: Signature made 12/08/20 06:21:06 MST using RSA key ID 0E604491

Now, you presumably won't have the signing public key (for 1.1.1i that's a key 
owned by Matt Caswell) in your keyring. You can download it from a public 
keyserver and mark it as trusted, so you'll also get verification that the 
signature was generated with the correct key:

   gpg: Good signature from "Matt Caswell <m...@openssl.org>" [full]
   gpg:                 aka "Matt Caswell <fr...@baggins.org>" [full]

While checking the signature runs into all the well-documented issues with the 
PGP Web of Trust, it's still stronger (in the sense that it prunes more of the 
attack tree, under sensible threat models) than just checking the hash. And 
once you're set up to do it, it's a simpler operation for future downloads.

--
Michael Wojcik

Reply via email to