SHA256 openssl-1.1.1i Checksum Error

Michael Wojcik Michael.Wojcik at microfocus.com
Mon Dec 28 23:30:34 UTC 2020


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Dr. Matthias St. Pierre
> Sent: Monday, 28 December, 2020 11:50

> I have no experience with zsh, but it seems that quoting is handled
> differently by zsh?

Is the problem that quoting is handled differently, or that he actually had Unicode left-double-quote and right-double-quote characters there rather than proper ASCII double-quote characters? That's how it appears in the message as I received it.

> At least it looks like the double quotes ended up in the GET line

Agreed.

> and you simply received an HTTP 404 Not Found (which is the reason why your
> digest isn’t correct.)

Agreed.

I'll add: Don't check the checksum. Check the signature:

1. Install an OpenPGP implementation such as gpg, if you don't already have one. (One may come with macOS; I have no idea.)

2. Download the .asc file corresponding to the tarball you downloaded.

3. Check the signature. With gpg2, for example:

   $ gpg2 --verify openssl-1.1.1i.tar.gz.asc openssl-1.1.1i.tar.gz
   gpg: Signature made 12/08/20 06:21:06 MST using RSA key ID 0E604491

Now, you presumably won't have the signing public key (for 1.1.1i that's a key owned by Matt Caswell) in your keyring. You can download it from a public keyserver and mark it as trusted, so you'll also get verification that the signature was generated with the correct key:

   gpg: Good signature from "Matt Caswell <matt at openssl.org>" [full]
   gpg:                 aka "Matt Caswell <frodo at baggins.org>" [full]

While checking the signature runs into all the well-documented issues with the PGP Web of Trust, it's still stronger (in the sense that it prunes more of the attack tree, under sensible threat models) than just checking the hash. And once you're set up to do it, it's a simpler operation for future downloads.

--
Michael Wojcik


More information about the openssl-users mailing list