Discussion:
Slackpackage checksum fail: what to do?
(too old to reply)
Martha Adams
2017-11-29 06:33:11 UTC
Permalink
I ran a 'slackpkg update' and this time, I got an error
response, "ERROR: Verification of the gpg signature on
CHECKSUM.md5 failed!...." Of course I could ignore it,
or come back later, or, ??

This time I'd like to get it right. I'm in my Slackware64
14.1 environment. At this point, what does a knowledgeable
techie do? Why?

Thanks -- Martha Adams [Wed 2017 Nov 29]
Rich
2017-11-29 10:54:46 UTC
Permalink
Post by Martha Adams
I ran a 'slackpkg update' and this time, I got an error
response, "ERROR: Verification of the gpg signature on
CHECKSUM.md5 failed!...." Of course I could ignore it,
or come back later, or, ??
This time I'd like to get it right. I'm in my Slackware64
14.1 environment. At this point, what does a knowledgeable
techie do?
First verify that you have the proper GPG key installed locally.

Once you know you have the right key, then double check the signature
by hand.

If it still fails, try downloading from a different mirror and
verifying the signature.
Post by Martha Adams
Why?
Signature failure _can_ indicate someone trying to feed you
intentionally modified files (i.e., containing spyware or adware or
other).

Most likely it indicates a technical glitch (such as operator error, an
incomplete download, or a few bytes randomly changed by the universe
that slipped past TCP's checksum).
King Beowulf
2017-12-22 19:24:23 UTC
Permalink
I ran a 'slackpkg update' and this time, I got an error response,
"ERROR: Verification of the gpg signature on CHECKSUM.md5 failed!...."
Of course I could ignore it,
or come back later, or, ??
This time I'd like to get it right. I'm in my Slackware64 14.1
environment. At this point, what does a knowledgeable techie do? Why?
Thanks -- Martha Adams [Wed 2017 Nov 29]
To expand on Rich' reply:

1.
check "/etc/slackpkg/mirrors" to make sure you have selected and known
good and reputable mirror. Make sure you are not trying to pull in 14.2
packages.
2.
run "slackpkg update gpg" and check if the correct key is getting
downloaded. go to slackware.com and get THAT public key (dated 29-
Aug-2012) and compare with the one grabbed via slackpkg
3. Clear the files in /var/cache/packages/? (I use Slackpkg+ so mine's a
bit different) and "slackpkg update" to grab a fresh set.

Have fun!
Martha Adams
2017-12-23 14:56:54 UTC
Permalink
Post by King Beowulf
I ran a 'slackpkg update' and this time, I got an error response,
"ERROR: Verification of the gpg signature on CHECKSUM.md5 failed!...."
Of course I could ignore it,
or come back later, or, ??
This time I'd like to get it right. I'm in my Slackware64 14.1
environment. At this point, what does a knowledgeable techie do? Why?
Thanks -- Martha Adams [Wed 2017 Nov 29]
1.
check "/etc/slackpkg/mirrors" to make sure you have selected and known
good and reputable mirror. Make sure you are not trying to pull in 14.2
packages.
2.
run "slackpkg update gpg" and check if the correct key is getting
downloaded. go to slackware.com and get THAT public key (dated 29-
Aug-2012) and compare with the one grabbed via slackpkg
3. Clear the files in /var/cache/packages/? (I use Slackpkg+ so mine's a
bit different) and "slackpkg update" to grab a fresh set.
Have fun!
Hi, King. This is helpful progress but I'm still puzzling. I think the
first thing I was doing wrong was, I had set my /etc/slackpkg/mirrors
to choose a mirror site any old how, with result, I couldn't see where
my updates came from. That was ok to my earlier self who thought, an
update is an update let's get on with the work. Which seems to my
present self, to be a mistake.

So now my /etc/slackpkg/mirrors choice is pair.com, who host my personal
web pages and I know they are good people. One down, but I'm not doing
more updates until I feel more safe than now.

I did the 'slackpkg update gpg' bit but this keys business which looks
deeply significant, is presently also deeply puzzling. I.e., I just
don't see what this is about. Is this discussed somewhere in public
cyberspace? ??

I looked into my /var/cache/packages/ and I found a short list of
deeper directories. Somehow this list triggers my sensitivities so
here it is:

extra
pasture
patches
slackware64
testing

and I don't feel comfortable those all really belong there. Is a
puzzlement. ??

I'm in Slackware64, 14.1 updated but presently no longer current.

Thanks -- Martha Adams [Sat 2017 Dec 23]

Loading...