Validation of Firefox files fails then works

foruminformationmonitor's Avatar

foruminformationmonitor

07 Dec, 2016 12:42 AM

I am using GPGkeychain version 1.3.1 validation on my Yosemite Mac.

I have 2 Yosemite 10.10.5 Macs and while validating Firefox version 50 and 49 one Mac would validate both and the other would not validate using the exact same Public key, signature and validating files in the same directory. I was able ot validate other files such as Wireshark and Libre office successfully.

Here is the procedure I used to validate the Mozilla Firefox file.

1) Downloaded both Shasums512 and Shasums512.asc from https://ftp.mozilla.org/pub/firefox/releases/50.0.1/ for Firefox 50

2) when I validate Shasum512.asc signature file against Shasums512 I receive a failure. The public key used is Mozilla software release key ID D98F0353

3) All files are in the same directory and when I verify other PGP signatures such as Wireshark they validate but other Firefox installs do not like Firefox version 49.

However on another Mac running the same version of Mac OS and files, validation succeeded.

This suggests to me that the Public key ID was changed or communications for the public key changed. My reasoning is that the shasum1 for your product sha16adb52ce063b3952542037fa37394a0279acce3d This is not the latest but the August-3026.

I expected 2 Mac OS with the same versions of the OS and GPGtool to perform the validation successfully. Please keep in mind other applications validated correctly but no the Firefox.

Describe steps leading to the problem.

Are you using any other Mail.app plugins?

  1. Support Staff 1 Posted by Steve on 12 Dec, 2016 11:15 AM

    Steve's Avatar

    Hi foruminformationmonitor,

    could you please open GPGPreferences and in the Updates section press the "Check now" button. You should see an update for GPG Suite.

    You may want to enable the option for automatic update checks to ensure you always have the latest GPG Suite installed on your system.

    When following your steps to verify shasum512 and shasum512.asc I see the result attached as screenshot.

    Which makes me wonder why you are seeing different results. Could you please again download both files into an empty folder and then again verify and attach a screenshot of the result.

    All the best,
    steve

  2. 2 Posted by foruminformatio... on 15 Dec, 2016 11:50 AM

    foruminformationmonitor's Avatar

    Could you provide a possible reason why I saw the failure in verification? Is the SHA1 correct. As I stated I had 2 Mac's and I'm concerned what ever caused the failure in validation could be used for to falsify validations. I highly suspect it is an Operating system change.

  3. Support Staff 3 Posted by Steve on 19 Dec, 2016 12:52 PM

    Steve's Avatar

    This is really hard to tell from far away. Are you still able to reproduce the problem? Maybe you were trying to verify files that didn't match?

    If you find a reproducible case, please link the exact files and we're happy to try and reporoduce.

  4. 4 Posted by foruminformatio... on 05 Jan, 2017 08:17 AM

    foruminformationmonitor's Avatar

    I have another example involving GPGtools verification. Using GPG keychain 1.3.1. It is unable to verify both the older version as well as the current version. The Sha1 hash of da8854cd9435d077dbdac7e71dac920ac38d15f2 for GPGtools is validated and the key used is keyid:00d026c4. Validation fails. I have included the GPGtools files.

    Do you have a list of older GPGtool sha1 hashes?

  5. Support Staff 5 Posted by Steve on 09 Jan, 2017 02:37 PM

    Steve's Avatar

    Hi, something went wrong with your download or with your upload. GPG_Suite-2016.10_v2.dmg is 381 Byte large, which is really small and not what we offer as download. So it is not surprising the verification fails.

    Could you please redownload GPG Suite and then retry?

  6. 6 Posted by foruminformatio... on 15 Jan, 2017 03:58 AM

    foruminformationmonitor's Avatar

    Can you provide me with the sha1 hash? I compared this value to the SHA1 hash your web site provided.

    The SHA1 value I have for GPG_suite-2016.10_V2 is da8854cd9435d077dbdac7e71dac920ac38d15f2

  7. 7 Posted by foruminformatio... on 15 Jan, 2017 04:07 AM

    foruminformationmonitor's Avatar

    I have just checked your website Jan-14-2017 and it shows the SHA1 hash as an exact match for the file I have enclosed. (see attached file gpg suite sha1)

    This means that the application itself has been modified on a Mac Yosemite 10.10.5. Is and is giving incorrect results. this correct ?

  8. Support Staff 8 Posted by Steve on 19 Jan, 2017 07:14 PM

    Steve's Avatar

    Hi again,

    there is no need to provide the SHA1 hash. The information on the website is correct. I already mentioned that you seem to be verifying a corrupt download. That will give a wrong information (which is highly expected, and just shows this is actually working).

    Which file you have enclosed are you referring to? Did you re-download GPG Suite?

    Best,
    steve

  9. 9 Posted by foruminformatio... on 19 Jan, 2017 09:05 PM

    foruminformationmonitor's Avatar

    Actually the version is the previous GPGtools version, 6adb52ce063b3952542037fa37394a0279acce3d GPG_Suite-2016.08_v2.dmg

    How are you coming to the determination that the file is corrupt surely not by size as the SHA1 hash is more accurate? I understand for some reason GPGtool doesn't provide previous SHA1 hashes so does that mean if there are any problems on older version everything is disregarded on older versions ?

  10. Support Staff 10 Posted by Steve on 19 Jan, 2017 09:08 PM

    Steve's Avatar

    Well I asked to re-download GPG Suite. If you are verifying an old release, the checksum for that will not match the SHA1 checksum for the current release.

    You posted a screenshot showing GPG Suite with 381 byte size. And that cannot be correct. Look at comment 5.

  11. 11 Posted by foruminformatio... on 21 Jan, 2017 11:52 PM

    foruminformationmonitor's Avatar

    When I click on the downloaded image named "GPG_suite-2016.08_v2.dmg" from this posted Jan-25-2017 which I uploaded. I do not see any 381 byte size file. I see 25.8 MB file. see the enclosed file screen shot called gpg_suit-2016.08_v2.dmg.tiff.

    Your website attachment says up to 10 MB the file GPG_suite-2016.08_v2.dmg is over that upload size yet I downloaded the file without an error from your website and confirmed the hash 6adb52ce063b3952542037fa37394a0279acce3d.

  12. Support Staff 12 Posted by Luke Le on 21 Jan, 2017 11:59 PM

    Luke Le's Avatar

    Ah wunderbar, das heißt nun klappt alles?
    Das freut uns aber sehr!

  13. 13 Posted by foruminformatio... on 22 Jan, 2017 12:16 PM

    foruminformationmonitor's Avatar

    The above is a problem with your website accepting files larger than allowed. However I was able to download the file which Steve says has an incorrect file size.

    The problem is still outstanding and suggests the GPGtools application itself has been modified but conitnues to work in some fashion that perhaps allows specific validations.

  14. Support Staff 14 Posted by Luke Le on 22 Jan, 2017 12:41 PM

    Luke Le's Avatar

    Number of questions:
    what website are you referring to? What in your opinion is the "GPGtools application"?
    Why exactly do you think it has been modified?
    Why do you prefer verifying hashes rather than sigs?
    Have you tried installing gpg from homebrew and performed the verification using gnupg from terminal to confirm our applications as the culprit?
    Any chance you speak german?

  15. 15 Posted by foruminformatio... on 24 Jan, 2017 09:24 AM

    foruminformationmonitor's Avatar

    The website I originally received the file from is https://gpgtools.org/. But it is the older version no longer displayed GPG_Suite-2016.08_v2.dmg.
    I think it has been modified because I have 2 Macs with the identical files installed. One works and the other does not. I am using hashes because of the inconsistency between the 2 Macs. I cannot understand why one verifies the signature for GPGtools and the other does not so the fall back is hashes.
    I have not tried homebrew mainly because I attempting to find the root cause of the issue between the 2 Macs first before reinstalling.
    No I do not speak german.

    What I would like to do is confirm the required components again using the 3 files.
    1- the orignal file
    2- signature file
    3- public key

  16. Support Staff 16 Posted by Luke Le on 24 Jan, 2017 09:30 AM

    Luke Le's Avatar

    Did you try to verify the signatures of the GPG Suite dmgs from the command line?
    To do that, place them in the same folder on your desktop, say "GPG_Suite_Installer" and run the following command in Terminal:

    gpg --verify ~/Desktop/GPG_Suite_Installer/GPG_Suite-2016.08_v2.dmg.sig
    

    You should see a valid signature if you have our public key correctly installed.
    You can find the public key on https://gpgtools.org/GPGTools-00D026C4.asc
    (If it's not already in your keyring, don't fetch it via key servers, since there are fake keys for [email blocked] on there which were not created by us)

    These are the links to the GPG_Suite-2016.08_v2.dmg and signature:
    https://releases.gpgtools.org/GPG_Suite-2016.08_v2.dmg (size: 27099647)
    https://releases.gpgtools.org/GPG_Suite-2016.08_v2.dmg.sig (size: 868)

  17. 17 Posted by foruminformatio... on 26 Jan, 2017 05:27 PM

    foruminformationmonitor's Avatar

    When I perform the command on the computer that does not validate signatures as you posted I get the following.

    gpg --verify GPG_Suite-2016.08_v2.sig gpg: no signed data
    gpg: can't hash datafile: No data

    But when I perform the fully command with the signature and the file I get.

    gpg --verify GPG_Suite-2016.08_v2.sig GPG_Suite-2016.08_v2.dmg
    gpg: Signature made Tue 16 Aug 07:23:49 2016 EDT using RSA key ID 0D9E43F5
    gpg: Good signature from "GPGTools Team [email blocked]" [unknown]
    gpg: aka "GPGMail Project Team (Official OpenPGP Key) [email blocked]" [unknown]
    gpg: aka "GPGTools Project Team (Official OpenPGP Key) [email blocked]" [unknown]
    gpg: aka "[jpeg image of size 5871]" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 85E3 8F69 046B 44C1 EC9F B07B 76D7 8F05 00D0 26C4
    Subkey fingerprint: 8C31 E5A1 7DD5 D932 B448 FE1D E8A6 6448 0D9E 43F5

  18. Support Staff 18 Posted by Luke Le on 26 Jan, 2017 06:28 PM

    Luke Le's Avatar

    The reason why the first command doesn't work is, that your sig file misses the .dmg part. Did you rename it? I just followed my exact instructions and they worked exactly as stated.

    Are you seeing the same result on both macs now or is there still something wrong?
    If so, how can we help you?

  19. 19 Posted by foruminformatio... on 27 Jan, 2017 11:14 PM

    foruminformationmonitor's Avatar

    There is still a problem. When I entered both commands on the Mac that works it revealed the below response for both commands.

    gpg --verify GPG_Suite-2016.08_v2.sig GPG_Suite-2016.08_v2.dmg
    gpg: Signature made Tue 16 Aug 07:23:49 2016 EDT using RSA key ID 0D9E43F5
    gpg: Good signature from "GPGTools Team [email blocked]" [unknown]
    gpg: aka "GPGMail Project Team (Official OpenPGP Key) [email blocked]" [unknown]
    gpg: aka "GPGTools Project Team (Official OpenPGP Key) [email blocked]" [unknown]
    gpg: aka "[jpeg image of size 5871]" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 85E3 8F69 046B 44C1 EC9F B07B 76D7 8F05 00D0 26C4
    Subkey fingerprint: 8C31 E5A1 7DD5 D932 B448 FE1D E8A6 6448 0D9E 43F5

    The Mac that does not work shows a incorrect response
    gpg --verify GPG_Suite-2016.08_v2.sig gpg: no signed data
    gpg: can't hash datafile: No data

    I still believe that a change on the Mac OS Yosemite is causing this error allowing the GPGtools application on the 2nd Mac to have this problem.

    The reason: all files compare correctly. the public key value is correct according to the signature. Is there a diagnostic that can be perfromed on the installed GPGtools ?

  20. 20 Posted by foruminformatio... on 02 Feb, 2017 03:44 PM

    foruminformationmonitor's Avatar

    It also should be noted that the GUI on Mac-1 validates the file while Mac-2 does not validate the files which are identical using the SHA hash.

  21. Support Staff 21 Posted by Steve on 02 Feb, 2017 04:06 PM

    Steve's Avatar

    Should you be available, could you hop on our live chat here:
    https://www.hipchat.com/gi8zHW4K3

    We can't promise a solution, but we'd like to inspect this problem in more detail.

    All the best
    steve

  22. Steve closed this discussion on 02 Feb, 2017 04:06 PM.

  23. foruminformationmonitor re-opened this discussion on 10 Feb, 2017 07:55 PM

  24. 22 Posted by foruminformatio... on 10 Feb, 2017 07:55 PM

    foruminformationmonitor's Avatar

    screen shots bad and good from gui of 2 different machines

  25. Support Staff 23 Posted by Steve on 10 Feb, 2017 08:38 PM

    Steve's Avatar

    solved via livechat, problem was a sig file had a wrong filename.

  26. Steve closed this discussion on 10 Feb, 2017 08:38 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac