View Issue Details

IDProjectCategoryView StatusLast Update
0001855Kali Linux[All Projects] General Bugpublic2014-12-04 15:28
Reporterstevko Assigned Torhertzog  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version1.0.9 
Target VersionFixed in Version 
Summary0001855: There are two versions of kali-linux-1.0.9a-amd64.iso, both with signed SHA1SUMS
DescriptionDepending on a mirror, one can get two different versions of kali-linux-1.0.9a-amd64.iso. One of them has sha1sum as seen on webpage (2744d50f56c3d6332bc75e676f36aad3058d0aad) the other one has different (0fd0cbaedc0daa7a9af5d3e76f9991bba5b0e3bd). The different one can be obtained e.g. from http://kali.solaraservers.com/kali-images/kali-1.0.9a/) There are also two different versions of SHA1SUMS file and even two versions of SHA1SUMS.gpg (for each iso). The interesting thing is that both of these signatures verify with the same kali key (44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6).
Steps To ReproduceDownload kali iso, sha1sums and sha1sums.gpg from this mirror: http://kali.solaraservers.com/kali-images/kali-1.0.9a/ and also from some other mirror. Observe that files differ, but SHA1SUMS are both signed with Kali key.
Additional Informationstevko@napo ~/tmp$ find
.
./1
./1/SHA1SUMS.gpg
./1/SHA1SUMS
./2
./2/SHA1SUMS.gpg
./2/SHA1SUMS
stevko@napo ~/tmp$ LANG=C gpg --verify 1/SHA1SUMS.gpg 1/SHA1SUMS
gpg: Signature made So 27. september 2014, 21:40:24 CEST using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
stevko@napo ~/tmp$ LANG=C gpg --verify 2/SHA1SUMS.gpg 2/SHA1SUMS
gpg: Signature made Št 2. október 2014, 15:26:04 CEST using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
stevko@napo ~/tmp$ cat 1/SHA1SUMS
0fd0cbaedc0daa7a9af5d3e76f9991bba5b0e3bd kali-linux-1.0.9a-amd64.iso
9fb803924bb5feea5b7ebf6c8ccb74cee3858dff kali-linux-1.0.9a-i386.iso
5e98e48a26c877fa3ab288bcc62eb6993c4c2139 kali-linux-1.0.9a-armel.img.xz
06a849d325e397e1703b8e2769c472a7f215311c kali-linux-1.0.9a-armhf.img.xz
stevko@napo ~/tmp$ cat 2/SHA1SUMS
2744d50f56c3d6332bc75e676f36aad3058d0aad kali-linux-1.0.9a-amd64.iso
89acef59694abc6858da681bb466355f6a31fdb6 kali-linux-1.0.9a-i386.iso
5e98e48a26c877fa3ab288bcc62eb6993c4c2139 kali-linux-1.0.9a-armel.img.xz
06a849d325e397e1703b8e2769c472a7f215311c kali-linux-1.0.9a-armhf.img.xz
stevko@napo ~/tmp$

Activities

rhertzog

2014-11-03 08:30

administrator   ~0002681

For now, I dropped kali.solaraservers.com from the mirror list. But I'll implement an out-of-sync check like we already have for the two other repositories... with a longer delay since it changes less often and is not SSH triggered.

rhertzog

2014-11-03 08:31

administrator   ~0002682

FWIW the 1.0.9a ISOs have been generated multiple times due to problems found after the generation and looks like this mirror mirrored the bad images once and never caught up since...

rhertzog

2014-12-04 15:28

administrator   ~0002854

I have now extended my monitoring script to also cover kali-images mirror. Any mirror that has not synced in the last two days will be dropped from the mirror rotation.

Issue History

Date Modified Username Field Change
2014-11-02 15:59 stevko New Issue
2014-11-03 08:30 rhertzog Note Added: 0002681
2014-11-03 08:30 rhertzog Assigned To => rhertzog
2014-11-03 08:30 rhertzog Status new => assigned
2014-11-03 08:31 rhertzog Note Added: 0002682
2014-11-21 20:03 haider Issue cloned: 0001895
2014-12-04 15:28 rhertzog Note Added: 0002854
2014-12-04 15:28 rhertzog Status assigned => resolved
2014-12-04 15:28 rhertzog Resolution open => fixed