From nobody@FreeBSD.org  Thu Jan  5 20:13:28 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 97A63106567B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Jan 2012 20:13:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 85F3C8FC1A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Jan 2012 20:13:28 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q05KDSpj066564
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 5 Jan 2012 20:13:28 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q05KDSK6066551;
	Thu, 5 Jan 2012 20:13:28 GMT
	(envelope-from nobody)
Message-Id: <201201052013.q05KDSK6066551@red.freebsd.org>
Date: Thu, 5 Jan 2012 20:13:28 GMT
From: Derek Schrock <dereks@lifeofadishwasher.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: i386 lastest.ssl freebsd-update file is invalid
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         163837
>Category:       bin
>Synopsis:       freebsd-update(8): i386 lastest.ssl freebsd-update file is invalid
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cperciva
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 05 20:20:11 UTC 2012
>Closed-Date:    
>Last-Modified:  Mon Mar 12 02:04:13 UTC 2012
>Originator:     Derek Schrock
>Release:        8.2-p6
>Organization:
>Environment:
FreeBSD ircbsd.lifeofadishwasher.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
When trying to use freebsd-update to perform a binary update to 9.0-RELEASE I get the following message:



Fetching metadata signature for 9.0-RELEASE from update4.FreeBSD.org... invalid signature.
Fetching metadata signature for 9.0-RELEASE from update2.FreeBSD.org... invalid signature.
Fetching metadata signature for 9.0-RELEASE from update5.FreeBSD.org... invalid signature.
Fetching metadata signature for 9.0-RELEASE from update3.FreeBSD.org... invalid signature.
No mirrors remaining, giving up.


It appears the latest.ssl file on the update servers is bad:

#fetch http://update5.freebsd.org/9.0-RELEASE/i386/latest.ssl
latest.ssl                                    100% of  512  B 4064 kBps
# openssl rsautl -pubin -inkey pub.ssl -verify < latest.ssl 
freebsd-update|i386|9.0-RELEASE|0|e2e72ff9a28072e9c3f1b5deb00fa3761ef259246bc7f5b38326bdddad4cd04c|EOL=1359676800

Last field:
EOL=1359676800

regex used to validate tag.new file:
"^freebsd-update\|${ARCH}\|${RELNUM}\|[0-9]+\|[0-9a-f]{64}\|[0-9]{10}"


example of the amd64 version with a valid last field:
]# fetch http://update5.freebsd.org/9.0-RELEASE/amd64/latest.ssl
latest.ssl                                    100% of  512  B 4032 kBps
# openssl rsautl -pubin -inkey pub.ssl -verify < latest.ssl 
freebsd-update|amd64|9.0-RELEASE|0|603c211a27349064fad20ee6dfc6ea75e8e04504bbe48107f9e328d9b6ff9a77|1359676800
>How-To-Repeat:
# freebsd-update -r 9.0-RELEASE upgrade
>Fix:
# openssl rsautl -pubin -inkey pub.ssl -verify < latest.ssl 

Remove the EOL= from the last field in the tag.new file

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->cperciva 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Jan 6 06:07:41 UTC 2012 
Responsible-Changed-Why:  
reassign to colin 

http://www.freebsd.org/cgi/query-pr.cgi?pr=163837 

From: Colin Percival <cperciva@freebsd.org>
To: bug-followup@FreeBSD.org, dereks@lifeofadishwasher.com
Cc:  
Subject: Re: bin/163837: i386 lastest.ssl freebsd-update file is invalid
Date: Thu, 05 Jan 2012 22:27:36 -0800

 Duh, stupid copy-paste error.  Thanks for pointing this out, I'll get it fixed
 before the release announcement goes out.
 
 -- 
 Colin Percival
 Security Officer, FreeBSD | freebsd.org | The power to serve
 Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid

From: Colin Percival <cperciva@freebsd.org>
To: bug-followup@FreeBSD.org, dereks@lifeofadishwasher.com
Cc:  
Subject: Re: bin/163837: i386 lastest.ssl freebsd-update file is invalid
Date: Thu, 05 Jan 2012 22:58:57 -0800

 Should be fixed now.  Please test and confirm.
 
 -- 
 Colin Percival
 Security Officer, FreeBSD | freebsd.org | The power to serve
 Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid

From: Derek Schrock <dereks@lifeofadishwasher.com>
To: Colin Percival <cperciva@freebsd.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/163837: i386 lastest.ssl freebsd-update file is invalid
Date: Fri, 6 Jan 2012 08:39:12 -0500

 Look likes update.freebsd.org, and update2.freebsd.org still need updated (3,4,5 appear alright):
 
 
 $ for i in "" 2 3 4 5 ; do set -x; fetch http://update${i}.freebsd.org/9.0-RELEASE/i386/latest.ssl; sudo openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify < latest.ssl; done
 + fetch http://update.freebsd.org/9.0-RELEASE/i386/latest.ssl
 latest.ssl                                    100% of  512  B 4136 kBps
 + sudo openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify
 freebsd-update|i386|9.0-RELEASE|0|e2e72ff9a28072e9c3f1b5deb00fa3761ef259246bc7f5b38326bdddad4cd04c|EOL=1359676800
 + for i in '""' 2 3 4 5
 + set -x
 + fetch http://update2.freebsd.org/9.0-RELEASE/i386/latest.ssl
 latest.ssl                                    100% of  512  B 4161 kBps
 + sudo openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify
 freebsd-update|i386|9.0-RELEASE|0|e2e72ff9a28072e9c3f1b5deb00fa3761ef259246bc7f5b38326bdddad4cd04c|EOL=1359676800
 + for i in '""' 2 3 4 5
 + set -x
 + fetch http://update3.freebsd.org/9.0-RELEASE/i386/latest.ssl
 latest.ssl                                    100% of  512  B 4279 kBps
 + sudo openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify
 freebsd-update|i386|9.0-RELEASE|0|e2e72ff9a28072e9c3f1b5deb00fa3761ef259246bc7f5b38326bdddad4cd04c|1359676800
 + for i in '""' 2 3 4 5
 + set -x
 + fetch http://update4.freebsd.org/9.0-RELEASE/i386/latest.ssl
 latest.ssl                                    100% of  512  B 4350 kBps
 + sudo openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify
 freebsd-update|i386|9.0-RELEASE|0|e2e72ff9a28072e9c3f1b5deb00fa3761ef259246bc7f5b38326bdddad4cd04c|1359676800
 + for i in '""' 2 3 4 5
 + set -x
 + fetch http://update5.freebsd.org/9.0-RELEASE/i386/latest.ssl
 latest.ssl                                    100% of  512  B 4341 kBps
 + sudo openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify
 freebsd-update|i386|9.0-RELEASE|0|e2e72ff9a28072e9c3f1b5deb00fa3761ef259246bc7f5b38326bdddad4cd04c|1359676800
 
 
 updating with update5:
 
 ....
 The following components of FreeBSD do not seem to be installed:
 src/base src/bin src/cddl src/contrib src/crypto src/etc src/games
 src/gnu src/include src/krb5 src/lib src/libexec src/release src/rescue
 src/sbin src/secure src/share src/sys src/tools src/ubin src/usbin
 world/catpages world/dict world/doc world/games world/info
 world/proflibs
 
 Does this look reasonable (y/n)? y
 
 Fetching metadata signature for 9.0-RELEASE from update5.FreeBSD.org... done.
 Fetching metadata index... done.
 Fetching 1 metadata patches. done.
 Applying metadata patches... done.
 Fetching 1 metadata files... done.
 Inspecting system... done.
 Fetching files from 8.2-RELEASE for merging... done.
 ....
 
 
 On Thu, Jan 05, 2012 at 10:58:57PM -0800, Colin Percival wrote:
 > Should be fixed now.  Please test and confirm.
 > 
 > -- 
 > Colin Percival
 > Security Officer, FreeBSD | freebsd.org | The power to serve
 > Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
>Unformatted:
