Bug 1215920

Summary: qemu packages have incorrect cheksums. Unable to update.
Product: [openSUSE] openSUSE Tumbleweed Reporter: Jiri Kanicky <j>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED WORKSFORME QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: Andreas.Stieger
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jiri Kanicky 2023-10-04 00:53:21 UTC 
Retrieving: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch (Main Repository (OSS))                                                                     (69/1142), 163.8 KiB    
Retrieving: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch.rpm ............................................................................................[done (138.6 KiB/s)]

Warning: Digest verification failed for file 'qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch.rpm'
[/var/tmp/AP_0xrUUjEl/noarch/qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch.rpm]

  expected 983b41b9f3ab1d62dbac3dab04df0eb5cdd82e02a252fc9b770fcd81a6a793dd0b58cb34530be09190fb26d9b429188685038d6d9ce26a77c050481cbd2178ad
  but got  73fed524ad43ea0e0b2342ce564d19d11b299dea1f45972411207ac4bfd4c15b0b39aebee38228ecd3788a74263c65aea113e4be6751aa068e9432fd0c1ac0e2

Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise.

However if you made certain that the file with checksum '73fe..' is secure, correct
and should be used within this operation, enter the first 4 characters of the checksum
to unblock using this file on your own risk. Empty input will discard the file.

Unblock or discard? [73fe/...? shows all options] (discard): 
Package qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch (Main Repository (OSS)) seems to be corrupted during transfer. Do you want to retry retrieval?
Abort, retry, ignore? [a/r/i] (a): 
Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Please see the above error message for a hint.
Comment 1 Andreas Stieger 2023-10-04 05:58:03 UTC 
When reporting bugs please give steps to reproduce. It may be obvious for you, but your report did not even include a command.

On the issue, the message is for YOU to consider, not a bug. If in doubt, do not proceed. Usually caused by a transient mirror issue, or an actual man-in-the-middle. 

In any case this works in the general case:


$ zypper info qemu-vgabios
Loading repository data...
Reading installed packages...


Information for package qemu-vgabios:
-------------------------------------
Repository     : openSUSE-Tumbleweed-Oss
Name           : qemu-vgabios
Version        : 1.16.2_3_gd478f380-2.1
Arch           : noarch
Vendor         : openSUSE
Installed Size : 359.3 KiB
Installed      : No
Status         : not installed
Source package : qemu-8.1.0-2.1.src
Upstream URL   : https://www.qemu.org/
Summary        : VGA BIOSes for QEMU
Description    :
    VGABIOS provides the video ROM BIOSes for the following variants of VGA
    emulated devices: Std VGA, QXL, Cirrus CLGD 5446 and VMware emulated
    video card. For use with QEMU.

$ zypper in --dry-run --download-only qemu-vgabios
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  qemu-vgabios

1 new package to install.
Overall download size: 163.8 KiB. Already cached: 0 B. Download only.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch (openSUSE-Tumbleweed-Oss)                    (1/1), 163.8 KiB
Retrieving: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch.rpm .........................................[done (246.2 KiB/s)]

Checking for file conflicts: .....................................................................................[done]


Closing.