Install files verification fails

Started by jds, April 11, 2020, 11:11:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 11, 2020, 11:11:38 PM
Am I the only one with this problem.  It seems straightforward enough.  Using the instructions from here:
https://docs.opnsense.org/manual/install.html#download-and-verification.  Have tried two different mirrors, two times each.
The latest one that I used is https://mirror.wdc1.us.leaseweb.net/opnsense/releases/20.1/.  I downloaded the four files to my harddrive:

OPNsense-20.1-OpenSSL-checksums-amd64.sha256 
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2 
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig 
OPNsense-20.1.pub

Then ran
openssl base64 -d -in OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig  -out image.sig
openssl dgst -sha256 -verify OPNsense-20.1.pub -signature image.sig OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig

But receive:
Verification Failure

The public key file is the same on both mirrors.

I assume that I am just missing something stupid, and that the files have not been hacked.   ;D
April 14, 2020, 05:33:57 PM #1
I just tried it on another computer, but get the same result.  Has no one else actually tried to verify the files before installing?
April 14, 2020, 06:04:22 PM #2
I did two more checks.  I also get failed verification for the i386 images.  Secondly, I checked my notes, and was able to get successful verification a couple of months ago. 
April 14, 2020, 09:19:58 PM #3
I downloaded just now from the same mirror in your first post and the filehash appears to match for me. This is on a windows box without openssl so I can't run the other verification steps that you list.

Code Select
Get-FileHash .\OPNsense-20.1-OpenSSL-vga-amd64.img.bz2 -algorithm sha256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          019A877C4B4CB96CFDA62D041774A91C030C5A8ECD58F8C3FD0067C7AC392982       D:\downloads\OPNsense-20.1-Op...

PS D:\downloads> cat .\OPNsense-20.1-OpenSSL-checksums-amd64.sha256
SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982
April 15, 2020, 05:28:08 PM #4
Thanks for checking that.  I just tried, too, and the hash code does check out.
April 17, 2020, 02:07:07 PM #5
# openssl dgst -sha256 -verify OPNsense-20.1.pub -signature image.sig OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig
Verification Failure

# openssl dgst -sha256 -verify OPNsense-20.1.pub -signature image.sig OPNsense-20.1-OpenSSL-vga-amd64.img.bz2
Verified OK

¯\_(ツ)_/¯
April 19, 2020, 08:34:33 PM #6
It was indeed something stupid!  Thanks for spotting that.
April 20, 2020, 10:55:23 AM #7
No worries, happens to all of us. :)


Cheers,
Franco
Print
Go Up Pages1
User actions