Check sum errors in Update-OSS repo for 13.1 and 13.2

English Applications
1

I need some help to see if this a local internet problem or if the repodata files are incorrect. My script to mirror the repos is failing and I am seeing problems with the check sums for the gz files in repodata. Although the check sums do not match the file name they match what is in the meta4 files. Can someone else try to down the files with aria2c and run sha256sum to see if the checksum matches what is in the file name. I do not want to create a bug until I can confirm that this is not a local problem. I did not have this problem when I did my sync last week. It started yesterday. The Update-NonOSS repos for 13.1 and 13.2 do not have the problem.

Thanks

Dave W

Link to one of the repodata files from the 13.1 Update-OSS repo. The sha256sum should match the what is in the file name.
http://download.opensuse.org/repositories/openSUSE:/13.1:/Update/standard/repodata/3e8623df1a4e5c12a2b25b26ef1e38cf862260a1823f2f03d956f52c8ec7b7c1-filelists.xml.gz


For Update-OSS 13.1
Atlas:/atlas/Distributions/openSUSE/13.1/Update-OSS/repodata # sha256sum *.gz
869fd843d58b5336e0b521bcf0273f16feb4266fbdab7a26ffd700ba8560f996  155c75fee00b412c5b4884e5ae615ea4ec99dab1b30546d20872b797a4485aa8-deltainfo.xml.gz
19882a76fddea9db16e6217446b0efd2e900bf7aaeac8ec7507e53b9a7068c2f  3e8623df1a4e5c12a2b25b26ef1e38cf862260a1823f2f03d956f52c8ec7b7c1-filelists.xml.gz
067776ac123fd6ffb84887e543036d427811c80f4dc446bf6538f026ffb9c3e6  4b460d7dc98e6666f186f6018367b73825a6e964b7700265279423279c83fc21-primary.xml.gz
84911fb520e83bbfd6c237291540e6e4e4635598470a29751c4066e226f1b29c  5a87fa5408c75e5302f7475020690da9ef5e3921f3d880173e03f2a06589deb0-other.xml.gz
5c60fb53366390c6c41d49d1c37ef4f1ae6046109d8974e12b37e83dbef75475  5afc6cb78c11733eb7ae0cd9dfefc5a37fba3d6530ec285484cf419be9bc7e84-suseinfo.xml.gz
67cb84321b3f7e8f57f63dcc6607528721c6d2b6f6b4c5ac6a7fceb2ab281d00  82b6a6e8c8c86e2c3a38913fb08b1e87eb7f4ab80bd0706b1dbc6212c370b205-appdata.xml.gz
94cdded9128d25bdf539f1bfe6b1b4f7ef4ac44af6508d678235e9b92ea912ca  bda98194d73dca1c825419dbb6ae4d991473adb6c6c18a2f676c07ef7d64659e-updateinfo.xml.gz
8c2dc6b86b9062a7411afaaf0a996fca529c6cfc535a853ea23fa6856c92dae2  e401c0934cecc5ad4a07bcce66c1a37c3922cdcdba7afe1ac25e2d9def7859e3-app-icons.tar.gz

Atlas:/atlas/Distributions/openSUSE/13.1/Update-OSS/repodata # for i in `sha256sum *.gz|awk '{print $1}'`;do grep $i *.meta4;done
155c75fee00b412c5b4884e5ae615ea4ec99dab1b30546d20872b797a4485aa8-deltainfo.xml.gz.meta4:    <hash type="sha-256">869fd843d58b5336e0b521bcf0273f16feb4266fbdab7a26ffd700ba8560f996</hash>
3e8623df1a4e5c12a2b25b26ef1e38cf862260a1823f2f03d956f52c8ec7b7c1-filelists.xml.gz.meta4:    <hash type="sha-256">19882a76fddea9db16e6217446b0efd2e900bf7aaeac8ec7507e53b9a7068c2f</hash>
4b460d7dc98e6666f186f6018367b73825a6e964b7700265279423279c83fc21-primary.xml.gz.meta4:    <hash type="sha-256">067776ac123fd6ffb84887e543036d427811c80f4dc446bf6538f026ffb9c3e6</hash>
5a87fa5408c75e5302f7475020690da9ef5e3921f3d880173e03f2a06589deb0-other.xml.gz.meta4:    <hash type="sha-256">84911fb520e83bbfd6c237291540e6e4e4635598470a29751c4066e226f1b29c</hash>
82b6a6e8c8c86e2c3a38913fb08b1e87eb7f4ab80bd0706b1dbc6212c370b205-appdata.xml.gz.meta4:    <hash type="sha-256">67cb84321b3f7e8f57f63dcc6607528721c6d2b6f6b4c5ac6a7fceb2ab281d00</hash>
bda98194d73dca1c825419dbb6ae4d991473adb6c6c18a2f676c07ef7d64659e-updateinfo.xml.gz.meta4:    <hash type="sha-256">94cdded9128d25bdf539f1bfe6b1b4f7ef4ac44af6508d678235e9b92ea912ca</hash>
e401c0934cecc5ad4a07bcce66c1a37c3922cdcdba7afe1ac25e2d9def7859e3-app-icons.tar.gz.meta4:    <hash type="sha-256">8c2dc6b86b9062a7411afaaf0a996fca529c6cfc535a853ea23fa6856c92dae2</hash>

For Update-OSS 13.2
Atlas:/atlas/Distributions/openSUSE/13.2/Update-OSS/repodata # sha256sum *.gz
8bae83df9f838d57c3a278494ff96f42701bd3797d25f6817969732befd7a013  03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz
80b36b02d69dc46d2ba978a636a405d42d29caf7b66691cbe47b991771403882  5afc6cb78c11733eb7ae0cd9dfefc5a37fba3d6530ec285484cf419be9bc7e84-suseinfo.xml.gz
a465beabb207f6e03edf9b66d86012235ddea9b4bfc6dfa805984fba79c063a6  976343a7cf35eebe8fa123f0b877fe7ddbcb54b5d73923fa90b53585f4bde873-deltainfo.xml.gz
7ddd7fe64a6882990186943aca060881a0f910f69ca82b2f830887b9f8f40312  9ac4e4d5a215ac3698f6ea37d5a7bfceb8bf10adfcff3cb8ca1d03c445cbccd0-updateinfo.xml.gz
271b5b75091bb7a0615edef58bdef1bb58a64a000ff5149119152ae6d773f578  9bf17212a193276ed9fbecc8d4e3006e0dbb674ba0dec69030966e499afaac3f-app-icons.tar.gz
19f2b044ffd60a1ca5742b398fd5068feee463e14829d4be2e3ff852a5d934a5  bb5ebe3efa1f3da127659e52826aa644641283bda1d68ec2eca6e7922522b872-filelists.xml.gz
4b116665082fd232ce355198fca080267102f94fe147d6656dcc8c3c43e99ba2  d9499b0ce191a0d2f1474535bf14acd9f8b3f2fa5f212dce9b052563245fd5f7-other.xml.gz
e8a9390cb73bbdd81292f30585742ef0726d724e0cd06e5a65660c3d772fa50c  f3b59e681a09ae9caf6060251f74b4833c9bb99c90e1b207cb3d1ec0e7bdf784-primary.xml.gz

Atlas:/atlas/Distributions/openSUSE/13.2/Update-OSS/repodata # for i in `sha256sum *.gz|awk '{print $1}'`;do grep $i *.meta4;done
03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz.meta4:    <hash type="sha-256">8bae83df9f838d57c3a278494ff96f42701bd3797d25f6817969732befd7a013</hash>
976343a7cf35eebe8fa123f0b877fe7ddbcb54b5d73923fa90b53585f4bde873-deltainfo.xml.gz.meta4:    <hash type="sha-256">a465beabb207f6e03edf9b66d86012235ddea9b4bfc6dfa805984fba79c063a6</hash>
9ac4e4d5a215ac3698f6ea37d5a7bfceb8bf10adfcff3cb8ca1d03c445cbccd0-updateinfo.xml.gz.meta4:    <hash type="sha-256">7ddd7fe64a6882990186943aca060881a0f910f69ca82b2f830887b9f8f40312</hash>
9bf17212a193276ed9fbecc8d4e3006e0dbb674ba0dec69030966e499afaac3f-app-icons.tar.gz.meta4:    <hash type="sha-256">271b5b75091bb7a0615edef58bdef1bb58a64a000ff5149119152ae6d773f578</hash>
f3b59e681a09ae9caf6060251f74b4833c9bb99c90e1b207cb3d1ec0e7bdf784-primary.xml.gz.meta4:    <hash type="sha-256">e8a9390cb73bbdd81292f30585742ef0726d724e0cd06e5a65660c3d772fa50c</hash>
2

Bit confused is this a single system or multiple some 13.1 and some 13.2. Just to make a wild guess never mix repos from different version on a single system. If not this then perhaps you need to explain more about your configuration since we can’t see over your shoulder.

3

I have thirty computers here. I found it was better to have a local mirror of the repos instead of trying to get all my computers to connect to the internet to update. We did not have the best internet. So when trying to mirror yesterday my script failed when testing checksums. I am seeing that the sha256sum does not match the file name, but it does match what is the the meta4 file. The check sum is supposed to match the beginning part of the file name.

Dave W

4

How do you mirror them?

If you use rsync, for example, it’ll do the checksumming for you.

5

My script uses aria2c because it is able to use the mirror brain system. The meta4 file that aria2c gets from download.opensuse.org tells the program were it can find local copies of files and what the checksums are. If it find an bad copy it will then search for another host. I tried a single file download from a web page and got the same result. The sha256sum did not match the file name. RSYNC is block by the firewall, and I do not have control of the firewall. that is why I am asking for other to try and download one of the repodata files and check the checksums.

Dave W

6

I did some more digging, when you look into repomd.xml you can see what check sums it is looking for. In the repomd.xml from 24 May you can see the the file name checksum matches the sha256sum check sum. When you look at 15 June the check sum in the file name does not match either check sum in the repomd.xml file. So we need to find out if there was an error in the build process or if some one is trying to tamper with the repo. If all of the checksums do not match up then something is wrong.

Dave W


From 15 June
  <data type="app-icons">
    <location href="repodata/**e401c0934cecc5ad4a07bcce66c1a37c3922cdcdba7afe1ac25e2d9def7859e3**-app-icons.tar.gz" />
    <checksum type="sha256">8c2dc6b86b9062a7411afaaf0a996fca529c6cfc535a853ea23fa6856c92dae2</checksum>
    <timestamp>1434366265</timestamp>
    <size>297314</size>
    <open-checksum type="sha256">8f7b053f237ed5a6a788913b5ae13a449e592cb251afe70edef592049128954f</open-checksum>
  </data>

From 24 May
<data type="app-icons">
  <checksum type="sha256">**de6fdd9cbb1af9b7f7badbaeec96300257ab63494c1616b732a1d48e457b61c7**</checksum>
  <open-checksum type="sha256">9dcc80e759e0a51eff37ce8e08cd0dcd461a74590153940dfde18ebd66eff208</open-checksum>
  <location href="repodata/**de6fdd9cbb1af9b7f7badbaeec96300257ab63494c1616b732a1d48e457b61c7**-app-icons.tar.gz"/>
  <timestamp>1432491310</timestamp>
  <size>49994</size>
</data>
7

On 2015-06-16 19:26, dwestf wrote:
>
> My script uses aria2c because it is able to use the mirror brain system.
> The meta4 file that aria2c gets from download.opensuse.org tells the
> program were it can find local copies of files and what the checksums
> are. If it find an bad copy it will then search for another host. I
> tried a single file download from a web page and got the same result.
> The sha256sum did not match the file name. RSYNC is block by the
> firewall, and I do not have control of the firewall. that is why I am
> asking for other to try and download one of the repodata files and check
> the checksums.

Confirm, on 13.1, updates. I downloaded using wget.


cer@Telcontar:~/tmp/repodatatest> sha256sum -b *
3819ac6a154843c2acf94e154b8094132713a3493fc5e2107fe963752ab7ff17 *5afc6cb78c11733eb7ae0cd9dfefc5a37fba3d6530ec285484cf419be9bc7e84-suseinfo.xml.gz
cea66eb49ea01850dafec8354062c8370208c7fb2b92503437d35c3a79422892 *764f7dc83478ac29813cc414e5807f1c4b930015e57ddf7f3a89cf4e20d799b7-updateinfo.xml.gz
026addc5228b663b9512a666e0eb88ee46fb0ef034ea1637b952bd2ad1236fc5 *82b6a6e8c8c86e2c3a38913fb08b1e87eb7f4ab80bd0706b1dbc6212c370b205-appdata.xml.gz
fe9ee43a78689575a715bed46f7d4fd51a343da9376ddcdc985f754198ff0ddc *90b45c9c557116553db7ebf4c82791daf6a90f7f94b410388ad12fc28d6b4fa1-other.xml.gz
32ee5a8560def97ebece53e56953b51e4a9c8a04ea96ca187173a7614e8b3ce9 *95bd7f417b8e6c360288c88b107a9a2cc03750fb4d28ffe7710663b47170b619-filelists.xml.gz
89ff871b45edafb27d3fe7c57086c49fe41ac8023f092fa32f8784c3d430fd25 *99d709d0e071feb443c9b9eea943d53632ddfc6cea2a5593e27b00ad7d9f5e58-deltainfo.xml.gz
3a23e76e93f289f49f7f559f8ae5bb881f2799e16ac82e57c228a558cf9613f4 *b8b1155cb6af5584b98db97702b172b35a252ba56e00d866b2b4e4ae5ff0c008-app-icons.tar.gz
632bd2b9a0d8d2e8221aa291f25165218fc1e3fcb24605caa24555f95a41113e *f12ed9a95db0dc7656fe241f5b84c38e8048d6e85934eb46f363357d169a353c-primary.xml.gz
5fdf5b936a9168f974394dd15f1654d2f23242afc1e0d91339854ef4096c5924 *index.html
b5f4a497d6570bcc67723eeb520531a2bbb3f806a2b0d1a62d94d9a46a5b85e8 *repomd.xml
3531ea09f2607d103785e80c3675630d3f7768f9fc85e5ade9b74e31555580dc *repomd.xml.asc
d9bcde281be1c8d0e1f8e1b62e01d989fb820cc3de9f0b0a9dc1a83a8d8e6c4d *repomd.xml.key

However. Looking at the repomd.xml file, I see:


</data>
<data type="suseinfo">
<location href="repodata/5afc6cb78c11733eb7ae0cd9dfefc5a37fba3d6530ec285484cf419be9bc7e84-suseinfo.xml.gz" />
<checksum type="sha256">3819ac6a154843c2acf94e154b8094132713a3493fc5e2107fe963752ab7ff17</checksum>
<timestamp>1434455631</timestamp>
<size>180</size>
<open-checksum type="sha256">f3848374e7d385d6d3eb88e927be074b6d2edb5579751e6717e4ece4ea3be5e3</open-checksum>
</data>

As you see, the sha256 in there matches the locally calculated string, but not the file name.
Either the string in the name is incorrect, or is calculated using another algorithm.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

8

On 2015-06-16 20:36, dwestf wrote:
>
> I did some more digging, when you look into repomd.xml you can see what
> check sums it is looking for. In the repomd.xml from 24 May you can see
> the the file name checksum matches the sha256sum check sum. When you
> look at 15 June the check sum in the file name does not match either
> check sum in the repomd.xml file. So we need to find out if there was
> an error in the build process or if some one is trying to tamper with
> the repo. If all of the checksums do not match up then something is
> wrong.

This is only happening in the update repo? It must be an error in how
they are created, I don’t think we both are getting tampered files.

If there are no discrepancies in the non-oss repo, then create a
bugzilla, on security.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

9

Carlos,

Thank you for confirming, bug has been submitted.

https://bugzilla.novell.com/show_bug.cgi?id=935052

Dave W