On Sat, Oct 31, 2015 at 11:40:22AM +0100, Guido Günther wrote: > Hi Daniel, > On Sat, Oct 31, 2015 at 02:01:54PM +0800, Daniel Veillard wrote: > > Hi Guido, > > > > On Fri, Oct 30, 2015 at 10:00:41PM +0100, Guido Günther wrote: > > > On Thu, Oct 29, 2015 at 03:28:51PM +0800, Daniel Veillard wrote: > > > > As pointed our on Tuesday it's time for a new release. I have tagged > > > > the release candidate 1 in git and pushed signed tarball and rpms to > > > > the usual place at: > > > > > > > > ftp://libvirt.org/libvirt/ > > > > > > > > Based on my limited testing this works just fine, but that's very limited > > > > and doesn't test portability at all, so please give it a try ! > > > > > > I'm having trouble verifying the signature: > > > > > > $ gpg --verify libvirt-1.2.21-rc1.tar.gz.pgp libvirt-1.2.21-rc1.tar.gz > > > gpg: Signature made Do 29 Okt 2015 07:41:52 CET > > > gpg: using DSA key 0x4606B8A5DE95BC1F > > > gpg: please do a --check-trustdb > > > gpg: BAD signature from "Daniel Veillard (Red Hat work email) <veillard@xxxxxxxxxx>" [unknown] > > > > > > while verifying e.g. 1.2.20 works as expected. > > > > Hum, where is libvirt-1.2.21-rc1.tar.gz.pgp coming from ? I only uploaded > > libvirt-1.2.21-rc1.tar.gz.asc ! > > It's the same file. Debian's uscan just renames it after download. > > > > > that said indeed there is an issue with rc1 signing ... > > > > [root@libvirt libvirt]# gpg2 --keyserver hkp://pgp.mit.edu --recv-keys DE95BC1Fgpg: requesting key DE95BC1F from hkp server pgp.mit.edu > > gpg: /root/.gnupg/trustdb.gpg: trustdb created > > gpg: key DE95BC1F: public key "Daniel Veillard (Red Hat work email) <veillard@xxxxxxxxxx>" imported > > gpg: no ultimately trusted keys found > > gpg: Total number processed: 1 > > gpg: imported: 1 > > [root@libvirt libvirt]# gpg --verify libvirt-1.2.20.tar.gz.asc libvirt-1.2.20.tar.gz > > gpg: Signature made Fri 02 Oct 2015 01:12:08 PM CEST using DSA key ID DE95BC1F > > gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@xxxxxxxxxx>" > > gpg: aka "Daniel Veillard <Daniel.Veillard@xxxxxx>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the owner. > > Primary key fingerprint: C744 15BA 7C9C 7F78 F02E 1DC3 4606 B8A5 DE95 BC1F > > [root@libvirt libvirt]# gpg --verify libvirt-1.2.21-rc1.tar.gz.asc libvirt-1.2.21-rc1.tar.gz > > gpg: Signature made Thu 29 Oct 2015 07:41:52 AM CET using DSA key ID DE95BC1F > > gpg: BAD signature from "Daniel Veillard (Red Hat work email) <veillard@xxxxxxxxxx>" > > [root@libvirt libvirt]# > > > > I verified, the libvirt-1.2.21-rc1.tar.gz.asc present on libvirt server is > > the same that I have left in my working dir of the machine where I assembled > > the release. > > On the other hand libvirt-1.2.21-rc1.tar.gz diverges > > > > thinkpad2:~/libvirt -> sha256sum libvirt-1.2.21-rc1.tar.gz > > 3cc9f2882a145562ee41b8369a8c3d1cb0f383fe13c3e39ac923f712bf8614d0 libvirt-1.2.21-rc1.tar.gz > > thinkpad2:~/libvirt -> > > > > and > > > > [root@libvirt libvirt]# sha256sum libvirt-1.2.21-rc1.tar.gz > > 00cce64d4eb906f294921effab7b0128dbded46da614f9d88681abdb80af0ae2 libvirt-1.2.21-rc1.tar.gz > > [root@libvirt libvirt]# > > > > I remember that I interrupted the rsync when pushing the release and restarted > > it this may have introduced that divergence, I reuploaded the rc1: > > > > [root@libvirt libvirt]# sha256sum libvirt-1.2.21-rc1.tar.gz > > 3cc9f2882a145562ee41b8369a8c3d1cb0f383fe13c3e39ac923f712bf8614d0 libvirt-1.2.21-rc1.tar.gz > > [root@libvirt libvirt]# sha256sum libvirt-1.2.21-rc1.tar.gz.asc > > 9bfb1fe53c5d1457d5bc6a4f7ce4661ad925210f9ab2708bd0c523accf16f5e5 libvirt-1.2.21-rc1.tar.gz.asc > > [root@libvirt libvirt]# gpg --verify libvirt-1.2.21-rc1.tar.gz.asc libvirt-1.2.21-rc1.tar.gz > > gpg: Signature made Thu 29 Oct 2015 07:41:52 AM CET using DSA key ID DE95BC1F > > gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@xxxxxxxxxx>" > > gpg: aka "Daniel Veillard <Daniel.Veillard@xxxxxx>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the owner. > > Primary key fingerprint: C744 15BA 7C9C 7F78 F02E 1DC3 4606 B8A5 DE95 BC1F > > [root@libvirt libvirt]# > > > > and that version is fine, > > Indeed. With the new tarball it verifies correctly. Thanks! Good, and after verifications the old one was really broken: thinkpad2:/tmp -> tar xvzf libvirt-1.2.21-rc1.tar.gz.broken .... libvirt-1.2.21/po/hi.po gzip: stdin: unexpected end of file tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now thinkpad2:/tmp -> So it's a case of restarting an rsync -P after an user interruption where the copied file ends up being corrupted, there is a bug somewhere but nothing malicious :-) Daniel > Cheers, > -- Guido > > > > > thanks for the heads-up ! > > > > Daniel > > > > -- > > Daniel Veillard | Open Source and Standards, Red Hat > > veillard@xxxxxxxxxx | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ > > http://veillard.com/ | virtualization library http://libvirt.org/ > > -- Daniel Veillard | Open Source and Standards, Red Hat veillard@xxxxxxxxxx | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list