Invalid signature & SHA256 mismatch of 3.14.14

Question

Invalid signature & SHA256 mismatch of 3.14.14

Closed this issue 3 months ago · 4 comments

pwn-all commented 7 months ago

Bug report

Describe your environment

Device: Notebook
OS name and version: Fedora Silverblue 40
IVPN app version: 3.14.2

Describe the problem

Not valid update file signature and SHA256 hash does not match.

Steps to reproduce:

Previously installed by official instruction (https://www.ivpn.net/knowledgebase/linux/fedora-silverblue/)
Try update the app

Observed Results:

error: importing RPMs: package ivpn-ui-3.14.14-1.x86_64 cannot be verified and repo ivpn-stable is GPG enabled: /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm could not be verified.
/var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm: DIGEST: SIGNATURE: NOT OK

$ sha256sum /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm
d2598298369c4d766d60e878bf48b2fa2a9ae5daae7b363561cb627bf9774aeb /var/cache/rpm-ostree/repomd/ivpn-stable-40-x86_64/packages/ivpn-ui-3.14.14-1.x86_64.rpm

Expected Results:

Normal update

stenya commented 3 months ago

v3.14.17

Answer 1 · 2024-09-09T13:19:30.000Z

I suppose this is because the RPM repository uses SHA1 hashes, which are not allowed by some modern distributions.
Related ticket: #390

Answer 2 · 2024-09-18T09:18:38.000Z

Tested updated from v3.14.14 to v3.14.17 on Fedora Silverblue 40, no issues found.
See #390 for further details.

Answer 3 · 2024-09-23T11:11:40.000Z

The RPM repository now uses the SHA-256 hash algorithm.