Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc
Michael Wojcik
Michael.Wojcik at microfocus.com
Wed Sep 11 20:04:53 UTC 2019
I can confirm Carl's issue when I download using Pale Moon (a Firefox fork):
-----
$ file openssl-1.1.1d.tar.gz.sha256
openssl-1.1.1d.tar.gz.sha256: gzip compressed data, from FAT filesystem (MS-DOS,
OS/2, NT)
$ file openssl-1.1.1d.tar.gz.sha1
openssl-1.1.1d.tar.gz.sha1: ASCII text
$ file openssl-1.1.1d.tar.gz.asc
openssl-1.1.1d.tar.gz.asc: PGP signature Signature (old)
$ gpg --verify openssl-1.1.1d.tar.gz.asc openssl-1.1.1d.tar.gz
gpg: Signature made 09/10/19 09:13:14 EDT using RSA key ID 0E604491
gpg: Good signature from "Matt Caswell <matt at openssl.org>" [full]
gpg: aka "Matt Caswell <frodo at baggins.org>" [full]
-----
So the .sha1 file and the signature look fine, but the .sha256 file is apparently a fragment of gzip-compressed data. And ... let's see ... gunzip'ing it gives us the SHA256 hash in ASCII. So my guess the server is gzip'ing it (or it's gzip'ed at rest on the server), but the server isn't setting the content-transfer-encoding correctly. Chrome might be content-sniffing and decompressing based on that. I haven't looked at the response headers though.
(Personally, I always check the signature and don't bother with the posted hashes.)
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list