Mailing List Archive

Fwd: [Bug 65665] New: signature file for source tarball has incorrect file name in it
I tried to fix the below with r1894662:

Index: r3-push-release-tars.sh
===================================================================
--- r3-push-release-tars.sh (revision 1894661)
+++ r3-push-release-tars.sh (working copy)
@@ -86,6 +86,11 @@
dest=`echo $file | sed -e "s/${FULL_VERSION}/${VERSION}/"`
svn mv "$file" "$dest"
done
+ # fix the filenames in the hash files (PR65665)
+ echo "fixing ${FULL_VERSION} filename to ${VERSION} in hash files"
+ for file in "${AO_DIST_RELEASE_PATH}/${PROJECT}-${FULL_VERSION}".tar.*.sha* do
+ perl -pe "s/${FULL_VERSION}/${VERSION}/" -i $file
+ done
fi
svn mv "${AO_DIST_DEV_PATH}/CHANGES_${VERSION}" "${AO_DIST_RELEASE_PATH}"/


Any comments?

Regards

Rüdiger

-------- Forwarded Message --------
Subject: [Bug 65665] New: signature file for source tarball has incorrect file name in it
Date: Fri, 29 Oct 2021 18:21:55 +0000
From: bugzilla@apache.org
Reply-To: Apache HTTPD Bugs Notification List <bugs@httpd.apache.org>
To: bugs@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=65665

Bug ID: 65665
Summary: signature file for source tarball has incorrect file
name in it
Product: Apache httpd-2
Version: 2.4.51
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Build
Assignee: bugs@httpd.apache.org
Reporter: mehul.sanghvi@gmail.com
Target Milestone: ---

When trying to use `sha256sum --check` to verify the tar.gz I get the
following:

% sha256sum --check httpd-2.4.51.tar.gz.sha256
sha256sum: httpd-2.4.51-rc1.tar.gz: No such file or directory
httpd-2.4.51-rc1.tar.gz: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read

% cat httpd-2.4.51.tar.gz.sha256
c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4
*httpd-2.4.51-rc1.tar.gz

As can be seen, the filename listed in the signature file is wrong.

If anyone is doing automated signature verification, that is going to fail for
no reason as the signature is correct, only the filename is wrong.

This is also true for the tar.bz2 signature.
Re: [Bug 65665] New: signature file for source tarball has incorrect file name in it [ In reply to ]
> Am 02.11.2021 um 09:24 schrieb Ruediger Pluem <rpluem@apache.org>:
>
> I tried to fix the below with r1894662:
>
> Index: r3-push-release-tars.sh
> ===================================================================
> --- r3-push-release-tars.sh (revision 1894661)
> +++ r3-push-release-tars.sh (working copy)
> @@ -86,6 +86,11 @@
> dest=`echo $file | sed -e "s/${FULL_VERSION}/${VERSION}/"`
> svn mv "$file" "$dest"
> done
> + # fix the filenames in the hash files (PR65665)
> + echo "fixing ${FULL_VERSION} filename to ${VERSION} in hash files"
> + for file in "${AO_DIST_RELEASE_PATH}/${PROJECT}-${FULL_VERSION}".tar.*.sha* do
> + perl -pe "s/${FULL_VERSION}/${VERSION}/" -i $file
> + done
> fi
> svn mv "${AO_DIST_DEV_PATH}/CHANGES_${VERSION}" "${AO_DIST_RELEASE_PATH}"


I think the files have already been renamed at that point, so it should be
> + for file in "${AO_DIST_RELEASE_PATH}/${PROJECT}-${VERSION}".tar.*.sha* do
> + perl -pe "s/${FULL_VERSION}/${VERSION}/" -i $file
> + done


(and we should also no more generated the .md5, I assume). Maybe no even the .sha1.

I'll do the changes and update apache dist.

Kind Regards,
Stefan


>
> Any comments?
>
> Regards
>
> Rüdiger
>
> -------- Forwarded Message --------
> Subject: [Bug 65665] New: signature file for source tarball has incorrect file name in it
> Date: Fri, 29 Oct 2021 18:21:55 +0000
> From: bugzilla@apache.org
> Reply-To: Apache HTTPD Bugs Notification List <bugs@httpd.apache.org>
> To: bugs@httpd.apache.org
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=65665
>
> Bug ID: 65665
> Summary: signature file for source tarball has incorrect file
> name in it
> Product: Apache httpd-2
> Version: 2.4.51
> Hardware: All
> OS: All
> Status: NEW
> Severity: normal
> Priority: P2
> Component: Build
> Assignee: bugs@httpd.apache.org
> Reporter: mehul.sanghvi@gmail.com
> Target Milestone: ---
>
> When trying to use `sha256sum --check` to verify the tar.gz I get the
> following:
>
> % sha256sum --check httpd-2.4.51.tar.gz.sha256
> sha256sum: httpd-2.4.51-rc1.tar.gz: No such file or directory
> httpd-2.4.51-rc1.tar.gz: FAILED open or read
> sha256sum: WARNING: 1 listed file could not be read
>
> % cat httpd-2.4.51.tar.gz.sha256
> c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4
> *httpd-2.4.51-rc1.tar.gz
>
> As can be seen, the filename listed in the signature file is wrong.
>
> If anyone is doing automated signature verification, that is going to fail for
> no reason as the signature is correct, only the filename is wrong.
>
> This is also true for the tar.bz2 signature.
>
>
>
>
>
Re: [Bug 65665] New: signature file for source tarball has incorrect file name in it [ In reply to ]
On 11/2/21 9:37 AM, stefan@eissing.org wrote:
>
>
>> Am 02.11.2021 um 09:24 schrieb Ruediger Pluem <rpluem@apache.org>:
>>
>> I tried to fix the below with r1894662:
>>
>> Index: r3-push-release-tars.sh
>> ===================================================================
>> --- r3-push-release-tars.sh (revision 1894661)
>> +++ r3-push-release-tars.sh (working copy)
>> @@ -86,6 +86,11 @@
>> dest=`echo $file | sed -e "s/${FULL_VERSION}/${VERSION}/"`
>> svn mv "$file" "$dest"
>> done
>> + # fix the filenames in the hash files (PR65665)
>> + echo "fixing ${FULL_VERSION} filename to ${VERSION} in hash files"
>> + for file in "${AO_DIST_RELEASE_PATH}/${PROJECT}-${FULL_VERSION}".tar.*.sha* do
>> + perl -pe "s/${FULL_VERSION}/${VERSION}/" -i $file
>> + done
>> fi
>> svn mv "${AO_DIST_DEV_PATH}/CHANGES_${VERSION}" "${AO_DIST_RELEASE_PATH}"
>
>
> I think the files have already been renamed at that point, so it should be

Good catch. I missed this.

>> + for file in "${AO_DIST_RELEASE_PATH}/${PROJECT}-${VERSION}".tar.*.sha* do
>> + perl -pe "s/${FULL_VERSION}/${VERSION}/" -i $file
>> + done
>
>
> (and we should also no more generated the .md5, I assume). Maybe no even the .sha1.

I missed to run against these, because they are no longer available on the download page. Hence a good point to remove their
generation. The only use case they could have nowadays I can think of is for users of old platforms that lack the tools for
checking newer hashes. OTOH these people would need to build httpd either without SSL or against a very outdated version of
OpenSSL that does not provide modern hashes which seems weird too. So I think no real use cases any longer :-).

Regards

Rüdiger