[sf-lug] A study in trying to verify a signature
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Mon Apr 26 22:31:01 PDT 2021
Paint me skeptical, but let me see what I get ...
my bits in-line below ...
> From: Al <awsflug at sunnyside.com>
> Subject: Re: [sf-lug] (forw) Re: (forw) Re: Something new on
> Distrowatch and Ubuntu variants.
> Date: Mon, 26 Apr 2021 21:26:27 -0700
> A study in trying to verify a signature:
> Anyway, long story short I downloaded the ISO file at
> https://dl.t2-project.org/binary/2021/ by right-clicking in Firefox:
> t2-21.4-x86-64-minimal-desktop-gcc-glibc.iso 2021-04-23 17:50 722M
> t2-21.4-x86-64-minimal-desktop-gcc-glibc.sha 2021-04-22 11:11 87
Never heard of dl.t2-project.org that I'm aware ...
guestimating that's mirror site, or CDN or the like?
Let's see if I can first figure out what that likely/presumably is ...
https://dl.t2-project.org/binary/2021/
Looks like a bunch 'o ISOs 'n such, but dear knows from what project.
"SSL"/TLS cert appears functional, does that give us a clue?
cert has some SAN names, ... none I recognize.
How 'bout some kind 'o sig file ... theoretically that's give us
clue (if it's legitimate sig). ...
$ wget -N
https://dl.t2-project.org/binary/2021/t2-21.4-x86-64-minimal-desktop-gcc-glibc.sha
--2021-04-26 22:03:40--
https://dl.t2-project.org/binary/2021/t2-21.4-x86-64-minimal-desktop-gcc-glibc.sha
Resolving dl.t2-project.org (dl.t2-project.org)... 144.76.154.42
Connecting to dl.t2-project.org
(dl.t2-project.org)|144.76.154.42|:443... connected.
ERROR: The certificate of 'dl.t2-project.org' is not trusted.
ERROR: The certificate of 'dl.t2-project.org' doesn't have a known issuer.
$
Well that's interesting ... wget complains but Chromium doesn't.
Maybe they did something boneheaded like forgot to include the intermediate
cert ... many browsers like Chrom{e,ium}, Firefox, are relatively forgiving
in that, where they'll cache the intermediate, and if it's missing and they
have it cached, they'll use that ... but wget/curl/lynx/... won't do that.
And, expectedly to hypothesis, wget, curl, and lynx, all fail on cert
issues. So we're already dealing with a cite that ain't quite got their
act together.
Well, let me try a search on (partial) filename ... maybe get a clue
what it theoretically would be there ...
So, searching 'da Interwebs on
"t2-21.4-x86-64-minimal-desktop-gcc-glibc"
various search results suggest it's from
"T2 SDE" ... "an open source system development environment" ... uh huh.
So, search on "T2 SDE" ...
https://t2sde.org/
... Download ... https://t2sde.org/download/ ... primary server(s) ...
http://dl.t2-project.org/binary/
https://dl.t2-project.org/binary/
Not looin' promising - special snowflake distro?
site:t2sde.org (gpg OR pgp OR signature OR "GNU privacy guard") -package
site:t2sde.org signing key
Yeah, special snowflake distro, use at your own risk, good luck.
I'll skip it, thanks.
Unless *maybe* you want to trust their slight broken TLS/SSL ...
but first another sanity check:
$ curl -k -I
https://dl.t2-project.org/binary/2021/t2-21.4-x86-64-minimal-desktop-gcc-glibc.sha
HTTP/1.1 200 OK
Date: Tue, 27 Apr 2021 05:23:39 GMT
Server: Apache/2.4.39 (Unix) OpenSSL/1.0.2s
Last-Modified: Thu, 22 Apr 2021 11:11:35 GMT
ETag: "57-5c08dbe0d07c0"
Accept-Ranges: bytes
Content-Length: 87
$ curl -k -I
https://dl.t2-project.org/binary/2021/t2-21.4-x86-64-minimal-desktop-gcc-glibc.iso
HTTP/1.1 200 OK
Date: Tue, 27 Apr 2021 05:23:48 GMT
Server: Apache/2.4.39 (Unix) OpenSSL/1.0.2s
Last-Modified: Fri, 23 Apr 2021 17:50:12 GMT
ETag: "2d22d800-5c0a76d74dd00"
Accept-Ranges: bytes
Content-Length: 757258240
Content-Type: application/x-iso9660-image
$
Notice the Last-Modified: - the .iso is newer than the corresponding .sha
file. Yeah, incompetent, or compromised, not something I'd want to trust.
More information about the sf-lug
mailing list