15900+ entries in 0.021s
mod6: take a look, i've removed 3 lines: 1. in the comment section where it lists PK's key fingerprint at the top 2. the curl that pulls the sign file for buildroot-2015.05.tar.gz.sign 3. the gpg command that verifies buildroot-2015.05.tar.gz.sign
mod6: so as far as the build-bitcoind-V99995.sh is concerned. let's just check that hash and call it a day then.
mod6: asciilifeform: not as far as i've seen.
mod6: anyway, an open line of comms to these folks could help us -- especially going forward as we basically might need to "roll our own" so that it doesn't pull the deps via rsync.
mod6: SHA1 & MD5 are broken are they not?
mod6: just thinking that hey, cant hurt anything to enlighten the guy that these hashes that he's signing, even up to this current month are obsolete.
mod6: "Peter Korsgaard <jacmet@uclibc.org>"
mod6: or at least, just the one we're using.
mod6: what we really aught to do is write to that guy, get him to join the wot with a 4096 bit RSA key, and have him resign all of the bundles.
mod6: the md5 & sha1 match the sign file
mod6: c42fdd39cb2bc46804a86a7d7b2605bd3cd9ddcb365c4e5a1fb147eb02b234fc31a70c8140be2f4d27cd371c84e0c6701f8cb47697dd1c18dd0e0cce784aa07a
mod6: we expect this sha512:
mod6: asciilifeform:this is the one that we're pulling
mod6: im starting to think that our SHA512 sum of this artifact is better than whatever they've got.
mod6: heh, these guys built this huge thing, but their sign files only have SHA1 & MD5, even the most recent 2016.02
mod6: oh nm, looks like those are only there for an RC version?
mod6: guess that only started with the version /after/ our version 2015.05
mod6: ooh... not for our version :(
mod6: im gonna take a look at that instead.
mod6: in here there seem to be .sign files for the .tar.gz's, but they seem to have .gpg's for the tar.bz2's
mod6: im gonna look again at what happens with 1.4.19 & that sign file.
mod6: ben_vulpes: yeah, i dunno what the deal is with it, seems to not work exactly as expected.
mod6: anyway, i guess i don't mind, i can add a part where we check the SHA1 & MD5 of the buildroot artifact and then continue to verify that .sign file.
mod6: danielpbarron: ok thanks for the update
mod6: i think this was actually discussed quite some time ago. i dont remember what the sentiment was exactly. but i think it was like "meh"
mod6: i guess, the other good news to that is you wont need to import that rando's guy's key into your keyring. still would need mine, alf & trinque's tho.
mod6: gonna try that out locally here.
mod6: still will check the hash of the buildroot artifact.
mod6: so with that build script, i'm thinking just take out the curl & --verify of that stupid .sign file.
mod6: phf: yeah, i see that, ok must be fixed
mod6: dare i even ask what a package mask is?
mod6: if someone knows what the problem is here, please submit. if testing is need, lets do it. all those things. telling me to take a break, or calm down, or take a vacation is not a solution.
☟︎ mod6: what i need, is help. every day. until this is resolved.
mod6: <+ben_vulpes> go take a vacation dood << this is not a solution.
mod6: you don't have to build with the script, just pull all the pieces and build by hand then.
mod6: well, i dunno what to say i guess.
mod6: what a goatfucking pile of shit
mod6: gpg (GnuPG) 2.0.26 << both of my goddamn gentoo's have this installed.
☟︎ mod6: for some reason, this guys friggin thing apparently wont verify, except for me. i seem to be the only one who has a gpg & his key that'll verify this damn thing
☟︎ mod6: but this problem isn't realted to that.
mod6: i disagree, totally, that V should contain any functionallity to validate anything outside of the V tree, contained in the patches dir.
mod6: well, im fuckin stumped. this is crazy
mod6: gernika: <+mod6> what does this say `gpg --fingerprint 0xAB07D806D2CE741FB886EE50B025BA8B59C36319` ?
mod6: ben_vulpes: can you identify why this is an issue?
mod6: what does this say `gpg --fingerprint 0xAB07D806D2CE741FB886EE50B025BA8B59C36319` ?
mod6: gernika: what happens if you're in the rotor dir and you do `gpg --verify buildroot-2015.05.tar.gz.sign` ?
mod6: gernika: do you have this fine somewhere in your build env? buildroot-2015.05.tar.gz.sign ?
mod6: back around the 28th.
mod6: we all went through this with V99996
mod6: so why didnt we have this trouble a few weeks ago?
mod6: the thing that bothers me, is this: all that is different about the build script itself is the version of V.
mod6: also, re: regrind, this is for sure: when doing this task, it forces you to read and understand the patch that needs regrinding. nothing wrong with this as far as I can tell.
mod6: something is wrong. i dont know what.
mod6: well,let us know how it goes. thanks for building.
mod6: and ALL: do not run this script 2x, ever. if something goes wrong, just please, start again fresh dir blow everything away except your .wot dir & contents and script.
mod6: gab the key from the fhe keyserver andimport manually?
mod6: that command should ^^^
mod6: ok, well it should pull that key.
mod6: danielpbarron: try `gpg --recv-key0xAB07D806D2CE741FB886EE50B025BA8B59C36319`
mod6: didnt see the paste /me looks
mod6: how are you trying to 'get it' ?
mod6: along with the other 3?
mod6: danielpbarron: did you put this key 0xAB07D806D2CE741FB886EE50B025BA8B59C36319 in your gpg keyring?