diff options
author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2017-05-14 11:26:45 -0400 |
---|---|---|
committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2017-05-14 11:26:45 -0400 |
commit | 3403a1e412fda92f1bbb1ecf5510e94e0a27afc8 (patch) | |
tree | 009e7d33845879fe45a04bee0f4858e404fce954 | |
parent | f952f9bb7300fc922da11a9e703ce712757fcd99 (diff) | |
download | website-3403a1e412fda92f1bbb1ecf5510e94e0a27afc8.tar.gz |
Explain "BAD Signature" errors in tarballs
For about 3 hours this morning the .tar.xz tarballs didn't verify for
benign reasons. This was fixed.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rw-r--r-- | content/news/2017-05-13-pixz-badsig.rst | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/content/news/2017-05-13-pixz-badsig.rst b/content/news/2017-05-13-pixz-badsig.rst new file mode 100644 index 0000000..7632a3a --- /dev/null +++ b/content/news/2017-05-13-pixz-badsig.rst @@ -0,0 +1,29 @@ +If you got "BAD Signature" this morning +======================================= + +:category: Site news + +The XZ tarballs for the following kernel releases did not initially pass +signature verification due to benign changes to the tarball structure +done by the pixz compression tool: + +- 4.11.1 +- 4.10.16 +- 4.9.28 +- 4.4.68 + +These changes would have resulted in GPG returning "Bad Signature" if +you tried to verify their integrity. Once we identified the problem, we +generated new XZ tarballs without tar header modifications and now they +should all pass PGP signature verification. + +We preserved the original .xz tarballs as -badsig files in the archives +in case you wanted to verify that there was nothing malicious in them, +merely tar header changes. You can find them in the same v4.x directory: + +- https://www.kernel.org/pub/linux/kernel/v4.x/ + +Our apologies for this problem. + +Regards, +Konstantin |