Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 15:11, Jonathan K. Bullard wrote:
> And I tried using a VPN : ) to download from London, hoping to get a
> different CloudFlare server, but get the same (bad) .targ.gz and/or
> .tar.gz.asc as my original downloads.
> 
> Should swupdates.openvpn.net be publicly accessible? It doesn't
> resolve for me using Google DNS.

Sorry, I obviously did a typo 

$ host swupdate.openvpn.net
swupdate.openvpn.net has address 104.20.195.50
swupdate.openvpn.net has address 104.20.194.50

That should be public, and is "hidden" behind cloudflare, which seems to
challenge us from time to time with its caching.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

On 21/06/2017 16:11, Jonathan K. Bullard wrote:
> On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth
>  wrote:
>> On 21/06/17 14:30, David Sommerseth wrote:
>>> On 21/06/17 13:48, Jonathan K. Bullard wrote:
 On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  
 wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
>
> 

 Hi. Thanks for this release.

 Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
 a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
 fails with:

 $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc

 gpg: armor header: Version: GnuPG v1
 gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
 gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
 gpg:using RSA key D72AF3448CC2B034
 gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
 gpg: using pgp trust model
 gpg: BAD signature from "OpenVPN - Security Mailing List
 " [unknown]
 gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

 The SHA256 ofopenvpn-2.4.3.tar.gz is
  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b

 The SHA256 of openvpn-2.4.3.tar.gz.asc is
  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437

 The files were downloaded from
 https://openvpn.net/index.php/open-source/downloads.html at about
 10:24 UCT today from the New York City area.

 For reference, here is the output from verifying 2.3.17:

 $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc

 gpg: armor header: Version: GnuPG v1
 gpg: assuming signed data in
 '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
 gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
 gpg:using RSA key D72AF3448CC2B034
 gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
 gpg: using pgp trust model
 gpg: Good signature from "OpenVPN - Security Mailing List
 " [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:  There is no indication that the signature belongs to the 
 owner.
 Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
 gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

 Any ideas or suggestions?
>>>
>>> I believe it is Cloudflare playing tricks on us again.
>>>
>>> Attached are the proper signature files and below a list of the SHA256 
>>> checksums:
>>>
>>> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
>>> openvpn-2.3.17.tar.xz
>>> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
>>> openvpn-2.3.17.tar.xz.asc
>>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
>>> openvpn-2.4.3.tar.xz
>>> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
>>> openvpn-2.4.3.tar.xz.asc
>>>
>>> This is based on the files I've already pushed to the Fedora builder 
>>> (koji), which
>>> I downloaded soon after the swupdates.openvpn.net server was updated.
>> Lets try to attach the _proper_ signature file for v2.4.3.  I managed to
>> send the signature for the previous (v2.4.2) release in the previous mail.
> 
> Thanks.
> 
> My original post was about the .tar.**gz**, but I downloaded (at about
> 12:45 UCT) both openvpn-2.4.3.tar.xz and openvpn-2.4.3.tar.xz.asc, and
> verifying fails. However, verifying the .tar.xz against the .asc in
> your email succeeds. So the problems seem to be with the .asc (for the
> tar.xz, at least), not with the .tar.gz itself.
> 
> And I tried using a VPN : ) to download from London, hoping to get a
> different CloudFlare server, but get the same (bad) .targ.gz and/or
> .tar.gz.asc as my original downloads.
> 
> Should swupdates.openvpn.net be publicly accessible? It doesn't
> resolve for me using Google DNS.
> 
> Best regards,
> 
> Jon
> 

Hi,

For whatever reason the following packages were incorrect:

  openvpn-2.4.3.tar.gz
  openvpn-2.4.3.tar.xz
  openvpn-2.4.3.zip

I suspect that the incorrect packages were the ones generated
automatically by my release script. The contents of those packages would
have been identical to the "official" packages, but the GPG signature
belonging to the correct package would not verify correctly.

Now all the files on the primary download server (swupdate) should be
correct. I will verify the files on the secondary server next and add
automated "download files from web and verify them with GnuPG" to my
release script.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: 

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[Jonathan K. Bullard]

On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth
 wrote:
> On 21/06/17 14:30, David Sommerseth wrote:
>> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
 The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
 can be downloaded from here:

 
>>>
>>> Hi. Thanks for this release.
>>>
>>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>>> fails with:
>>>
>>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: BAD signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>>
>>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>>
>>> The files were downloaded from
>>> https://openvpn.net/index.php/open-source/downloads.html at about
>>> 10:24 UCT today from the New York City area.
>>>
>>> For reference, here is the output from verifying 2.3.17:
>>>
>>> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>>
>>> gpg: armor header: Version: GnuPG v1
>>> gpg: assuming signed data in
>>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>>> gpg:using RSA key D72AF3448CC2B034
>>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>>> gpg: using pgp trust model
>>> gpg: Good signature from "OpenVPN - Security Mailing List
>>> " [unknown]
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:  There is no indication that the signature belongs to the 
>>> owner.
>>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
>>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>>
>>> Any ideas or suggestions?
>>
>> I believe it is Cloudflare playing tricks on us again.
>>
>> Attached are the proper signature files and below a list of the SHA256 
>> checksums:
>>
>> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
>> openvpn-2.3.17.tar.xz
>> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
>> openvpn-2.3.17.tar.xz.asc
>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
>> openvpn-2.4.3.tar.xz
>> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
>> openvpn-2.4.3.tar.xz.asc
>>
>> This is based on the files I've already pushed to the Fedora builder (koji), 
>> which
>> I downloaded soon after the swupdates.openvpn.net server was updated.
> Lets try to attach the _proper_ signature file for v2.4.3.  I managed to
> send the signature for the previous (v2.4.2) release in the previous mail.

Thanks.

My original post was about the .tar.**gz**, but I downloaded (at about
12:45 UCT) both openvpn-2.4.3.tar.xz and openvpn-2.4.3.tar.xz.asc, and
verifying fails. However, verifying the .tar.xz against the .asc in
your email succeeds. So the problems seem to be with the .asc (for the
tar.xz, at least), not with the .tar.gz itself.

And I tried using a VPN : ) to download from London, hoping to get a
different CloudFlare server, but get the same (bad) .targ.gz and/or
.tar.gz.asc as my original downloads.

Should swupdates.openvpn.net be publicly accessible? It doesn't
resolve for me using Google DNS.

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 14:30, David Sommerseth wrote:
> On 21/06/17 13:48, Jonathan K. Bullard wrote:
>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen  wrote:
>>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
>>> can be downloaded from here:
>>>
>>> 
>>
>> Hi. Thanks for this release.
>>
>> Verifying the PGP signature on 2.3.17.tar.gz works fine (so did 2.4.2
>> a few weeks ago), but trying to verify the signature on 2.4.3.tar.gz
>> fails with:
>>
>> $ gpg2 -v --verify /XXX/openvpn-2.4.3.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in '/XXX/openvpn-2.4.3.tar.gz'
>> gpg: Signature made Wed Jun 21 06:19:19 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: BAD signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> The SHA256 ofopenvpn-2.4.3.tar.gz is
>>  84a01aa3df0c12a3552ca3baaa39d700137b5bce4b6de683fe87fb79bfa5df0b
>>
>> The SHA256 of openvpn-2.4.3.tar.gz.asc is
>>  695afa06fcf94f9e8bd2ee63267332d14e52fe24dd58c470e42dafbea371e437
>>
>> The files were downloaded from
>> https://openvpn.net/index.php/open-source/downloads.html at about
>> 10:24 UCT today from the New York City area.
>>
>> For reference, here is the output from verifying 2.3.17:
>>
>> $ gpg2 -v --verify /Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz.asc
>>
>> gpg: armor header: Version: GnuPG v1
>> gpg: assuming signed data in
>> '/Users/jonathanbullard/Desktop/openvpn-2.3.17.tar.gz'
>> gpg: Signature made Wed Jun 21 06:18:55 2017 EDT
>> gpg:using RSA key D72AF3448CC2B034
>> gpg: using subkey D72AF3448CC2B034 instead of primary key 12F5F7B42F2B01E7
>> gpg: using pgp trust model
>> gpg: Good signature from "OpenVPN - Security Mailing List
>> " [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:  There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
>> gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096
>>
>> Any ideas or suggestions?
> 
> I believe it is Cloudflare playing tricks on us again.
> 
> Attached are the proper signature files and below a list of the SHA256 
> checksums:
> 
> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  
> openvpn-2.3.17.tar.xz
> b206065f4a1720c022fde710c0449b5b25e9dda8ca2911a82bacf21b9fcb4e29  
> openvpn-2.3.17.tar.xz.asc
> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  
> openvpn-2.4.3.tar.xz
> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  
> openvpn-2.4.3.tar.xz.asc
> 
> This is based on the files I've already pushed to the Fedora builder (koji), 
> which
> I downloaded soon after the swupdates.openvpn.net server was updated.
Lets try to attach the _proper_ signature file for v2.4.3.  I managed to
send the signature for the previous (v2.4.2) release in the previous mail.

-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc



openvpn-2.4.3.tar.xz.asc
Description: application/pgp-encrypted


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel