You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Daniele Duca <du...@staff.spin.it> on 2018/10/02 14:00:49 UTC

sa-update and signature verification

Hello,

since updating to 3.4.2 I can't download rules from unofficial channels. 
The problem is that in version 3.4.1 sa-update checks the hash of the 
downloaded file using file.sha1 , while version 3.4.2 uses file.sha256 
or file.sha512. See the relevant differences in the following sa-update 
--help:


3.4.1:
sa-update --help
...
--install filename      Install updates directly from this file. 
Signature verification will use "file.asc" and "file.sha1"
...

3.4.2
sa-update --help
...
--install filename      Install updates directly from this file. 
Signature verification will use "file.asc", "file.sha256", and 
"file.sha512".
...


Using the --nogpg option doesn't help, sa-update still hardfails if it 
doesn't find one of the .sha(256|512) files.

Reading the code in sa-update I found that even if --nogpg is specified, 
the signature file is still tried to be downloaded even if it's not used 
afterwards, and that is what basically causes the update procedure to fail.
For the moment I brutally hacked sa-update to don't care about 
signatures when using unofficial channels, but I'd like to understand if 
I'm missing something obvious that doesn't require code mangling to use 
"old" update channels.

Thanks

Daniele Duca

Re: sa-update and signature verification

Posted by "Kevin A. McGrail" <km...@apache.org>.

Hi Daniele, You are correct.  3.4.2 does not support rule channels that
only use SHA1.

Please contact the other rule channels and tell them to add sha256.  We
have moved away from SHA1.  It should be trivial on their end to
generate a sha256sum.

Regards,
KAM

On 10/2/2018 10:00 AM, Daniele Duca wrote:
> Hello,
>
> since updating to 3.4.2 I can't download rules from unofficial
> channels. The problem is that in version 3.4.1 sa-update checks the
> hash of the downloaded file using file.sha1 , while version 3.4.2 uses
> file.sha256 or file.sha512. See the relevant differences in the
> following sa-update --help:
>
>
> 3.4.1:
> sa-update --help
> ...
> --install filename      Install updates directly from this file.
> Signature verification will use "file.asc" and "file.sha1"
> ...
>
> 3.4.2
> sa-update --help
> ...
> --install filename      Install updates directly from this file.
> Signature verification will use "file.asc", "file.sha256", and
> "file.sha512".
> ...
>
>
> Using the --nogpg option doesn't help, sa-update still hardfails if it
> doesn't find one of the .sha(256|512) files.
>
> Reading the code in sa-update I found that even if --nogpg is
> specified, the signature file is still tried to be downloaded even if
> it's not used afterwards, and that is what basically causes the update
> procedure to fail.
> For the moment I brutally hacked sa-update to don't care about
> signatures when using unofficial channels, but I'd like to understand
> if I'm missing something obvious that doesn't require code mangling to
> use "old" update channels.
>
> Thanks
>
> Daniele Duca
>

-- 
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171