Move to verifying PGP signature #23
Comments
|
Yea, PGP sig is definitely more robust. I was planning on setting up a system to check the package every hour and auto-update if the hash changes from what is expected already. I'll take a look at setting this up with internal scripting until it gets integrated upstream. It'll make things much better than checking every hour for updates and auto-pushing the changes. |
|
Signature verification will indeed be a very nice solution, seeing that the Arch Linux package hasn't had to be updated for over 6 months. Btw, thank you for helping out with the project. I really appreciate it :) |
|
arg. So the SHA256 is absolutely required along with the content size. So, even if I were to hack on PGP verification, we'd still need to update the checksum and sizes. So, not going to go down adding that in internally. We can just wait until flatpaks handle it directly. For now, I'll put a script together to handle checking for an update routinely and auto-updating the json. For now the priority is quickly detecting package changes and documenting how to contribute and check the build state. Then once PGP comes into play, the quick detection becomes irrelevant. |
|
I guess I am hitting this? |
|
@Mikaela Nope. PGP hasn't rolled out yet (since we don't have the tools) and that would make the problem you're seeing not happen. What you're seeing is the verification that the client we download from Jagex is what we expect it to be. To fix this, we routinely have to update the repository here with the new expected verification identifier. I pulled the latest in yesterday morning, but it could have taken some time to process building and get deployed. I see it has now passed building on the server and therefore should be deployed. Could you please attempt to install it again? If it still fails in the same way, please open a new issue and I'll look into it. |
Thanks, this is what I tried to ask. I guess there isn't more to do for users than 👍 https://github.com/flatpak/flatpak/issues/16 (I did)?
|
|
The flatpak issue 16 referenced is not done. When it gets done the issue will be closed. Until then we're all just waiting to make a simpler experience. 😦 Thank you for the specific issue. Looking over at that now. |
|
Sorry, I am confusing and edited the comment, I meant that I did 👍 the issue. |
|
Ah yup. Honestly I don't even think thumbing it up or anything helps. I'm not sure how the flatpak team prioritizes things. IMO PGP all around is one of the more important things to be done for package maintainers going forward. It helps us reduce time in maintaining trivial updates and gives users a better experience from that. But, it seems other infrastructural things are taking precedent over that (limited dev time in the first place.) All we can do, is just wait for it to be prioritized and worked on. Until them, I'm trying to do the best I can to ease maintenance given the current system we have. Jagex doesn't care to help either, Linux to them is inconsequential. I've moved to MacOS myself, yup betrayed the Linux. I'm more maintaining this out of it simply not being too difficult or time consuming. It's quite easy when the infrastructure I've made works (as it has for a few months now.) I put some slight protections in place, but sadly I can't test the Github API so only the next few updates will tell if it works. |
|
Hi I got the same error: [Update] Fixed on OS Tumbleweed 20190704 |
|
I believe this is caused each time a new client is introduced. Ad hoc, 2.2.9. I note the previous entries do not state the version of the clients, perhaps I am wrong, but... I would not be surprised if the 2018 issues were 2.2.4 or there abouts and the 2019 was 2.2.6 or 7. I believe this is spot on, but no on posted either how to by-pass the checksum and force it to install anyway, or the scripts they mention planning to write, or how to do anything other than wait for it to be fixed on flathub/pak. Previously, I created a copy of .../stable directory with hidden files and created the following script: #!/bin/sh which would allow me to use runescape the way it was (2.2.4) at least once until flathub/flatpak caught up. I am unsure exactly what "causes" this, but I believe that there is a part of the script pointing to a wrong file - or the SHA is not updated to the new file. In this particular instance 2.2.9, nothing works for me and I also get the following when doing "flatpak install flathub com.jagex.RuneScape" "error: Failed to install com.jagex.RuneScape/x86_64/stable: Wrong size for extra data https://content.runescape.com/downloads/ubuntu/pool/non-free/r/runescape-launcher/runescape-launcher_2.2.9_amd64.deb" This sounds similar to what I read on the r/s forum @ QFC 278-279-573-66145484 and Seems someone at flathub and jagex just need to communicate. I hope this will bring it to someone's attention. |
|
There is no communicating with Jagex. They don't care about Linux users. Flathub is purely reactionary to all changes. Given it's also of my primary working area for code these days, I don't catch these things as they occur. With the bot it tries to automate as many updates as possible. But if Jagex still goes bonkers manual intervention is required. Which happens once or twice a year. |
|
We certainly appreciate those manual interventions!
…On Tue, 27 Jul 2021, 14:39 Jonathan Garbee, ***@***.***> wrote:
There is no communicating with Jagex. They don't care about Linux users.
Flathub is purely reactionary to all changes. Given it's also of my primary
working area for code these days, I don't catch these things as they occur.
With the bot it tries to automate as many updates as possible. But if Jagex
still goes bonkers manual intervention is required. Which happens once or
twice a year.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AU7IRH4PGFWV5D74YEUOKG3TZ2LIFANCNFSM4FDNXLSA>
.
|
RuneScape often change the content of their .deb without changing the url, so the hashes don't match which results in people getting a "Wrong size for extra data" error when downloading this Flatpak.
Arch Linux's solution on their package is to stop verifying the checksum and move over to verifying the PGP signature. This is not currently officially supported in Flatpak, so we'll have to do our own implementation or wait for Flatpak to implement this feature in https://github.com/flatpak/flatpak/issues/16
We need PGP verification to be possible to do for extra-data, as the .deb is downloaded at runtime. As we are not allowed to redistribute it ourselves.
The text was updated successfully, but these errors were encountered: