agris | rrq, What is your PGP fingerprint? | 04:07 |
---|---|---|
rrq | E93D7167A4F5FA9E9FED497770285BA5CF280BA4 | 04:08 |
agris | rrq, thanks, what tool are you using to sign the releases with SHA256 sums instead a message? are you doing that manually or with some tool? | 04:09 |
rrq | I use gpg | 04:09 |
rrq | have I messed up now again? | 04:10 |
agris | give me a second please while I verify everything is in order | 04:11 |
fsmithred | rrq, was there a re-release of any 2.1 installer isos? | 04:16 |
agris | I don't think you did a detached signature | 04:16 |
agris | gpg --verify SHA256SUMS.asc SHA256SUMS | 04:16 |
agris | gpg: not a detached signature | 04:16 |
agris | looking at the .asc file it includes a signed message, which is a redundant copy of SHA256SUMS | 04:17 |
agris | let me veify to contents by hand | 04:17 |
agris | removing the signed message by hand from the signature results in gpg: BAD signature from "Ralph Ronnquist (rrq) <ralph.ronnquist@gmail.com>" [full] | 04:18 |
rrq | for some reason I updated some 2.1 iso I believe.. I would have re-signed, but if it's wrong, it's wrong. | 04:18 |
golinux | Looks like from the chat on #devuan | 04:20 |
agris | no, the files look good | 04:20 |
agris | https://0x0.st/z0gJ.png | 04:20 |
agris | rrq, next time you sign the releases, you really should decide on using a detached signature, or a signed message. Not both | 04:21 |
fsmithred | checksum on the amd64 netinstall iso on fdo right now does not match what's in the file | 04:21 |
rrq | ok. are the isos correct? | 04:22 |
agris | rrq, use --detach-sign not --sign | 04:23 |
fsmithred | I'm not sure. I used one I found on my hard drive with Oct. 21 date and different checksum | 04:23 |
agris | rrq, hold on, i'm downloading a copy from leaseweb now | 04:23 |
rrq | agris: thanks. I thought I did. but admittedly gpg is not my friend. | 04:23 |
agris | no problem, GPG is a very powerful and simple tool ounce you get the hang of it and read the manual | 04:24 |
agris | devuan_ascii_2.1_i386_netinst.iso OK | 04:26 |
agris | devuan_ascii_2.1_amd64_netinst.iso OK | 04:28 |
agris | rrq, ok. file checksums and sigs look ok, but there may be some issues with the newer iso | 04:32 |
agris | rrq, from now on when signing releases it would be very helpful if instead of what you did, instead: | 04:33 |
agris | sha256sum --tag * >SHA256SUMS | 04:33 |
agris | gpg --armor --detach-sign SHA256SUMS >SHA256SUMS.sig | 04:34 |
rrq | ta. and also that the isos work :) | 04:35 |
agris | This way GPG can be used to verify the actual checksums file, rather than just the embedded signed message | 04:35 |
fsmithred | rrq, I'm downloading the newer iso now to see if I can reproduce the problem | 04:35 |
fsmithred | I tested with the older (Oct 21) iso earlier and didn't find the problem. | 04:36 |
fsmithred | stovepipe in #devuan had wireless issues with the newer iso | 04:36 |
rrq | right. I still don't remember why netinst needed and update, but in any case that went wrong apparently. | 04:38 |
Jjp137 | I vaguely remember the ISOs being updated and so I did some searching and the reason seems to be towards the bottom: https://lists.dyne.org/lurker/message/20191124.064426.8724ca37.en.html | 04:39 |
fsmithred | oh yeah, isolinux was interfering with the checksum | 04:40 |
fsmithred | Jjp137, thanks for finding that | 04:40 |
Jjp137 | np | 04:40 |
rrq | agris: that gpg command creates a sibling .asc files, and an empty .sig file | 04:40 |
rrq | for me | 04:40 |
agris | my bad the final output redirection may not be needed for gpg | 04:41 |
agris | just gpg --armor --detach-sign SHA256SUM | 04:42 |
agris | as per documentation here https://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-5.html | 04:42 |
rrq | right. that makes the .asc file with detached signature | 04:42 |
agris | rrq, cat it out and see if it's just the detached signature or contains a signed message as well | 04:43 |
rrq | just the signature | 04:43 |
fsmithred | gpg -b -a <file> (is the shortcut) | 04:43 |
agris | rrq, good. that's how it should be | 04:43 |
rrq | those files updated.. may need to sack the iso builder though :( | 04:47 |
rrq | biab | 04:52 |
fsmithred | <fsmithred> ok, I don't need to go very far. Like your customer, I got asked to plug in media with firmware. | 04:53 |
fsmithred | <fsmithred> there's no /firmware directory with links to the packages | 04:53 |
rrq | ok. ta. | 05:27 |
rrq | same on all | 05:32 |
golinux | So time for more iso making? | 05:33 |
rrq | worse: time to go back to the ascii2.1 iso building. beowulf has to wait until next decennium :( | 05:35 |
golinux | That's what I meant actually. | 05:37 |
golinux | I can sympathize. This work is a constant learning experience . . . | 05:38 |
onefang | If there was nothing left to learn, everything would be scripted, and we can take a holiday. B-) | 05:38 |
golinux | That assumes there is nothing to learn on a holiday. | 05:39 |
golinux | It is just a different learning. | 05:39 |
golinux | But I digress . . . | 05:40 |
onefang | That's how I'm learning all the little nooks and crannies of the package mirror system, by scripting my mirror checker to poke at them all. | 05:40 |
rrq | fsmithred: was "exclude isolinux.bin from md5sum.txt" the main reason for updates? | 05:56 |
rrq | excluding /firmware was a separate accident | 05:56 |
fsmithred | yeah, the checksum was failing on isolinux.bin - I think that was when you ran the check from the installer. | 05:57 |
rrq | and "Fixed order of init selection..." was your thing? it will sneak in to this build | 06:00 |
fsmithred | not sure about that last one. I think we did talk about it. | 06:04 |
fsmithred | sleep now | 06:05 |
fsmithred | maybe catch you on the other side | 06:05 |
LeePen | fsmithred: Do you use the live-build package? | 13:08 |
LeePen | We are way behind debian on it: | 13:09 |
LeePen | 4.0.3-1+devuan2 versus 1:20190311 | 13:09 |
fsmithred | no, I don't use it, but some people do | 13:10 |
fsmithred | and I think they might be using the debian version | 13:10 |
LeePen | Useful to know. I will have a look. | 13:10 |
fsmithred | there was a maintainer for it early in our history, but that didn't last long | 13:11 |
fsmithred | and there was a desire to use devuan sdk | 13:12 |
fsmithred | so that live, virtual and embedded images could all be made with the same tools | 13:12 |
LeePen | Sounds sensible. Does anybody have it working? | 13:14 |
fsmithred | LeePen, don't burn yourself out trying to do too much | 13:14 |
LeePen | I am just working through the last few outdated packages. | 13:14 |
fsmithred | I've been using live-sdk for the live images | 13:14 |
fsmithred | OziTraveller uses debian's live-build to make Star (devuan derivative) | 13:15 |
fsmithred | oh! | 13:15 |
fsmithred | I think he's using live-sdk now | 13:15 |
LeePen | OK. I will look at merging and up to date version and then if anybody wants to make it work better for devuan they have something to base it on. | 13:18 |
fsmithred | nice. Thanks. | 13:19 |
LeePen | Hmmm, having merged buster, lots of the quilt patches no longer apply. :( | 13:39 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!