[sf-lug] A study in trying to verify a signature

Michael Paoli Michael.Paoli at cal.berkeley.edu
Mon Apr 26 22:31:01 PDT 2021

Paint me skeptical, but let me see what I get ...
my bits in-line below ...

> From: Al <awsflug at sunnyside.com>
> Subject: Re: [sf-lug] (forw) Re: (forw) Re: Something new on  
> Distrowatch and Ubuntu variants.
> Date: Mon, 26 Apr 2021 21:26:27 -0700

> A study in trying to verify a signature:

> Anyway, long story short I downloaded the ISO file at  
> https://dl.t2-project.org/binary/2021/ by right-clicking in Firefox:
> t2-21.4-x86-64-minimal-desktop-gcc-glibc.iso        2021-04-23 17:50  722M
> t2-21.4-x86-64-minimal-desktop-gcc-glibc.sha        2021-04-22 11:11   87

Never heard of dl.t2-project.org that I'm aware ...
guestimating that's mirror site, or CDN or the like?
Let's see if I can first figure out what that likely/presumably is ...
Looks like a bunch 'o ISOs 'n such, but dear knows from what project.
"SSL"/TLS cert appears functional, does that give us a clue?
cert has some SAN names, ... none I recognize.
How 'bout some kind 'o sig file ... theoretically that's give us
clue (if it's legitimate sig). ...
$ wget -N  
--2021-04-26 22:03:40--   
Resolving dl.t2-project.org (dl.t2-project.org)...
Connecting to dl.t2-project.org  
(dl.t2-project.org)||:443... connected.
ERROR: The certificate of 'dl.t2-project.org' is not trusted.
ERROR: The certificate of 'dl.t2-project.org' doesn't have a known issuer.
Well that's interesting ... wget complains but Chromium doesn't.
Maybe they did something boneheaded like forgot to include the intermediate
cert ... many browsers like Chrom{e,ium}, Firefox, are relatively forgiving
in that, where they'll cache the intermediate, and if it's missing and they
have it cached, they'll use that ... but wget/curl/lynx/... won't do that.
And, expectedly to hypothesis, wget, curl, and lynx, all fail on cert
issues.  So we're already dealing with a cite that ain't quite got their
act together.
Well, let me try a search on (partial) filename ... maybe get a clue
what it theoretically would be there ...
So, searching 'da Interwebs on
various search results suggest it's from
"T2 SDE" ... "an open source system development environment" ... uh huh.
So, search on "T2 SDE" ...
... Download ... https://t2sde.org/download/ ... primary server(s) ...
Not looin' promising - special snowflake distro?
site:t2sde.org (gpg OR pgp OR signature OR "GNU privacy guard") -package
site:t2sde.org signing key
Yeah, special snowflake distro, use at your own risk, good luck.

I'll skip it, thanks.

Unless *maybe* you want to trust their slight broken TLS/SSL ...
but first another sanity check:
$ curl -k -I  
HTTP/1.1 200 OK
Date: Tue, 27 Apr 2021 05:23:39 GMT
Server: Apache/2.4.39 (Unix) OpenSSL/1.0.2s
Last-Modified: Thu, 22 Apr 2021 11:11:35 GMT
ETag: "57-5c08dbe0d07c0"
Accept-Ranges: bytes
Content-Length: 87

$ curl -k -I  
HTTP/1.1 200 OK
Date: Tue, 27 Apr 2021 05:23:48 GMT
Server: Apache/2.4.39 (Unix) OpenSSL/1.0.2s
Last-Modified: Fri, 23 Apr 2021 17:50:12 GMT
ETag: "2d22d800-5c0a76d74dd00"
Accept-Ranges: bytes
Content-Length: 757258240
Content-Type: application/x-iso9660-image


Notice the Last-Modified: - the .iso is newer than the corresponding .sha
file.  Yeah, incompetent, or compromised, not something I'd want to trust.

More information about the sf-lug mailing list