Checksum different than previously posted online - should it be?

[busterrr3x]

Last week I downloaded the checksum for armbian20.05.2_Orangepiplus2e_buster_current_5.4.43_desktop.img.xz and checked the checksum that came with the download. The .img checksum downloaded with the image and the checksum I ran were the same. When I check the online checksum here on armbian.com under downloads, sha, TODAY, the checksum is different. 

 

Is there any reason for me to believe that my original checksum and download may have been corrupted? I realize I can just re-download the image now, but whose to say that the one posted now is correct and not the previous one (while maybe both correct/fine)?

 

I know that checksums can change over time, assuming there has been an update or something; read about this somewhere. 

 

Thanks. 

Edited October 4, 2020 by busterrr3x

[Igor]

8 hours ago, busterrr3x said:

TODAY, the checksum is different. 

For example, those links always redirect you to the latest version:
https://redirect.armbian.com/orangepiplus2e/Bionic_current

https://redirect.armbian.com/orangepiplus2e/Bionic_current.sha

 

while actual files are changing. Paired SHA should always fit. 

 

Is this the problem?

[busterrr3x]

Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic. But I will test what I think you may be trying to say. 

 

My guess is that the best thing is to verify the checksum signature.  I thought there was a link on armbian.com for that, but don't seem to be able to find it. 

 

I also recall having some trouble figuring out how to do it. Anyway, could you provide a link for instructions?

Thanks

[Igor]

3 hours ago, busterrr3x said:

Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic.

 

Sorry, I mixed but its the same. Replace Bionic with Buster in the URL and try.

 

3 hours ago, busterrr3x said:

My guess is that the best thing is to verify the checksum signature. 

 

First is data integrity checking

https://docs.armbian.com/User-Guide_Getting-Started/#how-to-check-download-integrity

, while signature is authenticity checking - if image was made by us:
https://docs.armbian.com/User-Guide_Getting-Started/#how-to-check-download-authenticity

[busterrr3x]

Thanks Igor. 

 

As for trying to verify the signature - I'm getting closer, but apparently still doing something incorrect. 

 

I have in the same directory: the ".img" and the ".asc", and nothing else. I open a terminal there and then run the following:

 

$ sudo gpg --verify Armbian_20.05.2_Orangepiplus2e_buster_current_5.4.43.img.xz.asc [sudo] password for b:

 

OUTPUT: gpg: no signed data gpg: can't hash datafile: No data 

 

Or is the output for signature telling me the checksum is not valid? 

 

=========================================================================== 

 

DOWNLOADING YOUR PUBLIC KEY: (I don't know why, but your public key almost never downloads/imports; I got lucky importing it once out of many tries; wish I knew why...)

 

# download public key from the database

sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5

 

OUTPUT: sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported gpg: Total number processed: 1 gpg: imported: 1

 

Thanks. 

Edited October 6, 2020 by busterrr3x

[Igor]

21 minutes ago, busterrr3x said:

your public key almost never downloads/imports

Not a problem of my public key, but a problem of public key server. 

 

24 minutes ago, busterrr3x said:

Or is the output for signature telling me the checksum is not valid? 

After you loaded key or before?

[busterrr3x]

Hi Igor. I loaded the key before anything else, your key ...import, if that's what you mean. 

 

After I import your key with the command line, is there anything else I need to do, such as with my 'key management - KGpg' .... "import keys". 

 

The command said it was imported, but I don't know where to check to see if yours is there; not sure if I'm supposed to be able to see it...?

 

Thanks. 

Edited October 6, 2020 by busterrr3x

[Igor]

I don't know what you are doing wrong. I just recreated on a clean build:
 

gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

wget https://redirect.armbian.com/odroidn2/Bionic_current_desktop
wget https://redirect.armbian.com/odroidn2/Bionic_current_desktop.asc

gpg --verify Bionic_current_desktop.asc 
gpg: assuming signed data in 'Bionic_current_desktop'

gpg: Signature made tor 01 sep 2020 20:30:24 CEST
gpg:                using RSA key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
gpg: Good signature from "Igor Pecovnik <igor@armbian.com>" [unknown]
gpg:                 aka "Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF00 FAF1 C577 104B 50BF  1D00 93D6 889F 9F0E 78D5

 

[busterrr3x]

The 'desktop-image' doc I was comparing the '.asc-doc' against was NOT a desktop image. Changed it and it worked. 

 

Thx

Edited October 7, 2020 by busterrr3x

[busterrr3x]

8 hours ago, busterrr3x said:

The 'desktop-image' doc I was comparing the '.asc-doc' against was NOT a desktop image. Changed it and it worked. 

 

Thx

TO CLARIFY: actually, the 'formula' ran and gave a typical output whereas before it did not, so that was a success in itself. However, I did get a 'bad signature'. But at least I am now comfortable checking the signature, so it was still a success