Hi,
On Wed, 2023-05-03 at 11:43 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 17918
> Logged by: Sureshkumar G
> Email address: suresh.kumar@d4t4solutions.com
> PostgreSQL version: 12.0
> Operating system: CentOS7
> Description:
>
> We're using Foreman satellite server and we tried to sync posgresql 12
> repo
> from https://download.postgresql.org/ and facing failed checksum error
> for
> below package
>
> Package: pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
>
> Error:
> "A file located at the url
>
http://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7.0-x86_64/pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
> failed validation due to checksum."
>
> We're validated checksum and looks it both're different.
>
> sha256sum pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
> cd752ab10807898f4451c2a9cbf9782f6ed91273b0d62fb0d8746dcfee067bb9
> pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
>
> </package>
> <package
> pkgid="899efe5f0c404d870c7fd8900b66bb72c54548c0cd5152a60b09d5133514d55
> 9"
> name="pg_auto_failover_12-llvmjit" arch="x86_64">
>
> Can you please look on it and also let me know if any security risk
> being
> there if we skip checksum for this package?
>
I can confirm that this is caused by signing unsigned packages last
week, but rsync failing to update main server(s). So this is *not* a
security issue.
However, as a precaution, I removed problematic packages from the
repository. They were too old anyway. I did not want to push updated
checksums for the same packages.
Please let me know if this solves your problem.
Again, thanks for the report.
Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR
