BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

account2 · 2020-07-13 19:17:44

https://www.archlinux.org/releng/releases/2020.07.01/

MD5: 64aeb30b17cbfa74c2b4b17960623ad8
SHA1: 8bcd9ef5d7bd22a5e1de671905abaf07ca8cd7f5
PGP fingerprint: 0x9741E8AC

I downloaded the iso, `archlinux-2020.07.01-x86_64.iso`, via torrent and its pgp sig, `archlinux-2020.07.01-x86_64.iso.sig`, and I get:

```
$ md5sum ./archlinux-2020.07.01-x86_64.iso
7d4d9c1a52ede7d19feda201106dd06c ./archlinux-2020.07.01-x86_64.iso
```

```
$ sha1sum ./archlinux-2020.07.01-x86_64.iso
49ee0da8a346ec9533835f94f05c21cd60efbb58 ./archlinux-2020.07.01-x86_64.iso
```

```
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-2020.07.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2020.07.01-x86_64.iso'
gpg: Signature made Wed 01 Jul 2020 02:43:40 AM EDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: BAD signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
```

```
$ sudo pacman-key -v archlinux-2020.07.01-x86_64.iso.sig
[sudo] password for qio:
==> Checking archlinux-2020.07.01-x86_64.iso.sig... (detached)
gpg: Signature made Wed 01 Jul 2020 02:43:40 AM EDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: BAD signature from "Pierre Schmitz <pierre@archlinux.de>" [full]
==> ERROR: The signature identified by archlinux-2020.07.01-x86_64.iso.sig could not be verified.
```

Note: same results after running `sudo pacman-key --refresh-keys`.

Last edited by account2 (2020-07-13 19:49:37)

mpan · 2020-07-13 19:37:30

Can’t reproduce. I’ve just re-downloaded the ISO and checked it. I have a valid signature and the right checksums (which are different than yours).

With torrent download this should not happen, but a sanity check: are you sure the file is fully downloaded? 678428672 bytes?

Last edited by mpan (2020-07-13 19:38:08)

account2 · 2020-07-13 19:39:54

mpan wrote:

Can’t reproduce. I’ve just re-downloaded the ISO and checked it. I have a valid signature and the right checksums (which are different than yours).
With torrent download this should not happen, but a sanity check: are you sure the file is fully downloaded? 678428672 bytes?

678428672 Jul 13 14:46 archlinux-2020.07.01-x86_64.iso

Yep '3'

account2 · 2020-07-13 19:47:16

Re-downloaded iso via torrent.
This time, different md5 altogether:

```
$ md5sum archlinux-2020.07.01-x86_64.iso
e035f4a45996ace06980be579cafd588 archlinux-2020.07.01-x86_64.iso
```

¦p

Re-downloaded iso via Hong-Kong mirror: http://mirror-hk.koddos.net/archlinux/iso/2020.07.01/
This time, correc sums and pgp sig check:

```
$ md5sum archlinux-2020.07.01-x86_64.iso
64aeb30b17cbfa74c2b4b17960623ad8 archlinux-2020.07.01-x86_64.iso
```

```
$ sha1sum archlinux-2020.07.01-x86_64.iso
8bcd9ef5d7bd22a5e1de671905abaf07ca8cd7f5 archlinux-2020.07.01-x86_64.iso
```

```
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-2020.07.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2020.07.01-x86_64.iso'
gpg: Signature made Wed 01 Jul 2020 02:43:40 AM EDT
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
```

Maybe qBittorrent is corrupting the downloads? Or maybe hardware issue? : o

mpan · 2020-07-13 19:49:28

Does that happen with older ISOs if you get them via qBittorrent?

account2 · 2020-07-13 19:54:42

mpan wrote:

Does that happen with older ISOs if you get them via qBittorrent?

I torrented two Manjaro isos. One sha1summed to the posted value, and one didn't.

Mad sketch

I guess just local software/hardware issue. : p

mpan · 2020-07-13 20:03:28

I’ve just checked qbittorent and it downloaded the ISO fine. It uses libtorent-rasterbar, on which my normal client (Deluge) is based. So a bug in that is unlikely.

md5sum, sha1sum and gpg are working fine on Arch Linux: if they wouldn’t, I expect the support channels to already be flooded with reports.

Perhaps kernel or the drive itself. If the latter, there are bad news for you .

Is this the latest kernel (I’m still on 5.6.7-arch1-1)? What is the output of those commands?

 $ uname -a
 $ pacman -Q linux coreutils gnupg

account2 · 2020-07-13 20:27:38

mpan wrote:

I’ve just checked qbittorent and it downloaded the ISO fine. It uses libtorent-rasterbar, on which my normal client (Deluge) is based. So a bug in that is unlikely.

: o Ah. Thanks for narrowing it down.

mpan wrote:

md5sum, sha1sum and gpg are working fine on Arch Linux: if they wouldn’t, I expect the support channels to already be flooded with reports.
Perhaps kernel or the drive itself. If the latter, there are bad news for you .
Is this the latest kernel (I’m still on 5.6.7-arch1-1)? What is the output of those commands?
 $ uname -a
 $ pacman -Q linux coreutils gnupg

```
$ uname -a
Linux ripsladesdargodegz 5.7.7-1-MANJARO #1 SMP PREEMPT Wed Jul 1 10:17:47 UTC 2020 x86_64 GNU/Linux
```

```
$ pacman -Q linux coreutils gnupg
linux419 4.19.131-1
coreutils 8.32-1
gnupg 2.2.20-4
```

I'm on Manjaro. : p (Actually trying to install Arch for the first time, for exploration.)

It might very well be the drive. I downloaded the Hong Kong iso to my ssd, while qBittorrent downloads them to an hdd (which is a big, encrypted volume, so who knows if that imposes any screwy overhead).

Trying several more isos, all of the ones downloaded to my ssd checksum fine while ~50% of those torrented to my hdd checksum wrong. xD

Also, forum Markdown support when? How do you do the code snippets? :v

Last edited by account2 (2020-07-13 20:28:18)

mpan · 2020-07-13 21:11:19

I believe that helping in preparing to Arch install is still acceptable in Arch support channels, even if it’s on another distribution. However, anything beyond that should be done on Arch: including determining the cause of the issues, if they persist.

Write the ISO that validates fine.
Execute `sync` (if it’s USB and not CD).
Drop caches using `sudo sysctl vm.drop_caches=3`. That step is needed to ensure the following step is actually reading the written data from the medium.
Checksum and compare: `sha1sum /dev/your-medium`.

The forum uses BBCode for formatting.

account2 · 2020-07-13 21:48:53

mpan wrote:

Write the ISO that validates fine.

Take an iso that checksums well and move it to the hdd? : o

mpan wrote:

Execute `sync` (if it’s USB and not CD).

Did this on my hdd; no output.

mpan wrote:

Drop caches using `sudo sysctl vm.drop_caches=3`. That step is needed to ensure the following step is actually reading the written data from the medium.

$ sudo sysctl vm.drop_caches=3
vm.drop_caches = 3

mpan wrote:

Checksum and compare: `sha1sum /dev/your-medium`.

iso still checksums well.

Last edited by account2 (2020-07-13 21:49:37)

mpan · 2020-07-13 22:20:55

No. I mean writing it to the medium you want to use for installation. USB flash or CD, whichever you are going to use.

schard · 2020-07-14 08:43:52

Rather than suggesting a bad hard drive, it is certainly possible that OP just downloaded a defective or malicious ISO from a random peer.
An "it works for me" is useless as long as you have not verified, that you torrented from the same peer(s) as the OP.
The PGP and and checksums are there as a mechanism to detect either broken or malicious ISOs distributed through a P2P network.
If they don't match, discard the torrented file. In the best case it's broken. In the worst case, it contains malicious code.

mpan · 2020-07-14 11:18:28

I doubt that and find a kernel or hardware issue a more plauible explanation. Unless an actual report about the attack can be produced. I would rather believe that malware is already on account2’s computer and is modifying ISOs, if I have to assume foul play. The reasons?

We have 3 different invalid files. That implies spending at least 120k€ on the attack. No one spends such amount of money to attack a random account2, so we should be observing a widespread, ongoing attack. Do we?
By pure coincidence a day earlier I was downloading that ISO through torrent perhaps a dozen times. No problem detected on my side. Why am I excluded from the attack?
Why did the attacker spent money on producing at least two different versions of the same ISO if one would be enough?

The torrent file offers a selection of webseeds, so the attack is not very effective against users with webseed-capable clients. Does one pay 120k€ for an attack if it can’t deliver results? But I exclude this from my doubts list above, because I have no actual data on webseed usage and I can imagine a rare scenario in which someone would spent even more for a chance of getting access to a few machines.

Arch Linux

#1 2020-07-13 19:17:44

BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#2 2020-07-13 19:37:30

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#3 2020-07-13 19:39:54

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#4 2020-07-13 19:47:16

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#5 2020-07-13 19:49:28

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#6 2020-07-13 19:54:42

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#7 2020-07-13 20:03:28

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#8 2020-07-13 20:27:38

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#9 2020-07-13 21:11:19

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#10 2020-07-13 21:48:53

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#11 2020-07-13 22:20:55

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#12 2020-07-14 08:43:52

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

#13 2020-07-14 11:18:28

Re: BAD pgp signature, md5, sha1 on 2020.07.01 iso (torrent)

Board footer