[Libreoffice-bugs] [Bug 53254] UI: msi packages of 3.6.0 release not signed in contrast to recent months of 3.5.x msi packages?

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Aug 9 14:43:14 CEST 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=53254

--- Comment #3 from real name <abittner at abittner.de> 2012-08-09 12:43:14 UTC ---
I dont know what is wrong with documentfoundation and/or libreoffice teams, but
the realease notes about 3.6.0 says thats its bitidentical with some latest RCx
version, and if thats true the signature was already missing in the RCx.

oddly enough there seem to be different binaries served from the docufoundation
bouncers and mirrors, as I have just received an apparently signed msi package
for the german help pack, although not directly personally, but an online virus
scan service has managed to receive a different sized msi binary for the german
help msi which actually does has some signature.

very weird

signed:
https://www.virustotal.com/file/b942086da97bde38752b58709df31bceaefae48c089b7c5f5c0960f71e82f155/analysis/1344515525/


First seen by VirusTotal
2012-08-09 12:32:05 UTC ( 1 Minute ago )
Last seen by VirusTotal
2012-08-09 12:32:05 UTC ( 1 Minute ago )
File names (max. 25)

    LibO_3.6.0_Win_x86_helppack_de.msi


SHA256:     b942086da97bde38752b58709df31bceaefae48c089b7c5f5c0960f71e82f155
SHA1:     53db9d3803ee928f15874f311055add9a64b1d3e
MD5:     80096c9b7b9c0efdad71ce9e10f83fbb
File size:     10.3 MB ( 10784768 bytes )
File name:     LibO_3.6.0_Win_x86_helppack_de.msi
File type:     FlashPix
Detection ratio:     0 / 42
Analysis date:     2012-08-09 12:32:05 UTC ( 1 Minute ago ) 


so the signed version is rather brand new according to virustotal



unsigned as being served to my internet connections and same as from yesterday:
https://www.virustotal.com/file/debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c/analysis/1344515680/


First seen by VirusTotal
2012-08-08 14:15:01 UTC ( 22 Stunden, 22 Minuten ago )
Last seen by VirusTotal
2012-08-09 12:34:40 UTC ( 2 Minuten ago )
File names (max. 25)

    LibO_3.6.0_Win_x86_helppack_de.msi

SHA256:     debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c
SHA1:     da493d7c83b0b21c907ceffd8a6a57d65d5444a2
MD5:     1708994e2f96a14ec6a4930f785383b5
File size:     10.3 MB ( 10776576 bytes )
File name:     LibO_3.6.0_Win_x86_helppack_de.msi
File type:     FlashPix
Detection ratio:     0 / 42
Analysis date:     2012-08-09 12:34:40 UTC ( 2 Minuten ago ) 




filesizes are different and so are hashes
what is wrong with the release and signing cycle over at
docufoundation/libreoffice?

this doesnt demonstrate a proper handling of releases and handly security
matters.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Libreoffice-bugs mailing list