qt4-mac Failed to verify signature for archive!

[jorgeantoniorivera@…]

I trying to install it, I get a suspicious error.

The rmd160 signature in the Portfile is different than the downloaded file.

Is a security problem?

What is the correct signature for this file?

Best regards.

Port install log:

---

--->  Attempting to fetch qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2.rmd160 from http://packages.macports.org/qt4-mac
Warning: Failed to verify signature for archive!
Error: org.macports.archivefetch for port qt4-mac returned: archivefetch failed for qt4-mac @4.8.7_4
Please see the log file for port qt4-mac for details:
    /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_aqua_qt4-mac/qt4-mac/main.log
Error: Unable to upgrade port: 1
Error: Unable to execute port: upgrade qt4-mac failed

---

My check dsgt:

---

RIPEMD160(/tmp/qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2)= 1d4a5db59629f516de6d5cec4e6ae72ddc8d0d25

Portfile contents:

---

checksums           rmd160 afb5e5a99388e6429faca59cb5000054feffd166 \
                    sha256 e2882295097e47fe089f8ac741a95fef47e0a73a3f3cdf21b56990638f626ea0

[mf2k (Frank Schima)]

In the future, please use WikiFormatting and Cc the port maintainers (port info --maintainers qt4-mac), if any.

Note that a "request" ticket type is only for requesting a new port.

[eborisch (Eric A. Borisch)]

Looks like something in your downloaded file is corrupted. Try port clean --all qt4-mac and install (download) again. When I download that file, I get:

 RIPEMD160(qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2)= 8df11b5f66c4e950ab709230a616133f1187230e

And it verifies OK with the associated .rmd160 signature.

[jorgeantoniorivera@…]

Hello all.

I am sorry for my forms, this is my first report, after many year as casual user.

I was positively sure, that file was not corrupted. I downloaded it several times. And I could uncompress it correctly.

I want to discard a security problem in this port, because others critical port depend of it, KeePassX for the sample.

But, today I am trying again, and result is the same that you say:

RIPEMD160(/tmp/qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2)= 8df11b5f66c4e950ab709230a616133f1187230e

Anyway, the rmd160 digest in Portfile is different.

checksums           rmd160 afb5e5a99388e6429faca59cb5000054feffd166

Does this have any explanation?

Thank you so much. Best regards.

$ wget -v http://packages.macports.org/qt4-mac/qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2
--2016-03-08 10:02:11--  http://packages.macports.org/qt4-mac/qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2
Resolving packages.macports.org (packages.macports.org)... 198.232.124.36
Connecting to packages.macports.org (packages.macports.org)|198.232.124.36|:80... connected.

HTTP request sent, awaiting response... 200 OK
Length: 175965002 (168M) [application/x-bzip2]
Saving to: ‘qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2’

qt4-mac-4.8.7_4.darwin_12.x86 100%[=================================================>] 167.81M  1.90MB/s    in 83s

2016-03-08 10:03:34 (2.03 MB/s) - ‘qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2’ saved [175965002/175965002]

$ openssl dgst -rmd160 /tmp/qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2
RIPEMD160(/tmp/qt4-mac-4.8.7_4.darwin_12.x86_64.tbz2)= 8df11b5f66c4e950ab709230a616133f1187230e

[eborisch (Eric A. Borisch)]

In short: you have the correct binary package checksum (!= source distribution checksum stored in the Portfile) now. It looks like something was garbled in the initial compiled download (or the signed checksum download) from packages.macports.org, but it is in good shape now.