bad signature for PERC6/i firmware update?

Alexander Dupuy alex.dupuy at mac.com
Thu Jul 23 09:11:50 CDT 2009 

My thanks to the people at Dell (at least seven of whom were involved in
looking into this).  I re-downloaded again today, and this time the copy
was indeed different (and now passes signature verification). 


Looking at a diff of the two files (passed through iconv -f UTF-16BE -t
UTF-8, for readability), it seems that the version I downloaded a few
days ago was a (cached?) copy of an earlier (pre-release?) version of
this DUP:


> - <SoftwareComponent schemaVersion="1.0" packageID="R216024" releaseID="R216024" dateTime="2009-04-03T16:25:28-05:00" releaseDate="April 03, 2009" vendorVersion="6.2.0-0013" dellVersion="A11" packageType="LLXP" xmlGenVersion="1.0.3376">
> + <SoftwareComponent schemaVersion="1.0" packageID="R216024" releaseID="R216024" dateTime="2009-04-28T19:58:45-05:00" releaseDate="April 28, 2009" vendorVersion="6.2.0-0013" dellVersion="A11" packageType="LLXP" xmlGenVersion="1.0.3376">
> - <Display lang="en"><![CDATA[1. Improved disk medium error correction in certain scenarios.
> + <Display lang="en"><![CDATA[1. Enhanced disk IO performance in multiple SAS and SATA configurations.
> - 2. Improved handling of faulty backplanes and enclosures.
> + 2. Improved random IO performance.
>   
[there's more of this - anyone who is interested in the details let me know]


Anyhow, the problem is now solved - thanks for all your help.  If
nothing else, this does demonstrate the usefulness of verifying the
signatures when downloading DUPs!


@alex


Michael_E_Brown at Dell.com wrote:

> He probably has a bad download (even though he said he downloaded several times). If the download program is corrupting it (say, downloading in ascii mode), then it doesnt matter how many times it gets downloaded.
>
> $ gpg --verify RAID_FRMW_LX_R216024.BIN.sign  RAID_FRMW_LX_R216024.BIN
> gpg: Signature made Thu 18 Jun 2009 04:24:20 PM CDT using DSA key ID 23B66A9D
> gpg: Good signature from "Dell, Inc. (Product Group) <linux-security at dell.com>"
> gpg:                 aka "Dell Computer Corporation (Linux Systems Group) <linux-security at dell.com>"
>
> --
> Michael
>
> -----Original Message-----
> From: Cao, Yong 
> Sent: Wednesday, July 22, 2009 2:19 PM
> To: Qian, Angela; Wagner, Leslie A
> Cc: Yuan, Lynn
> Subject: RE: bad signature for PERC6/i firmware update?
>
> The Linux DUP and signature file are both good on ftp. See my attached screenshot.
>
> From "md5sum.jpg", you will see the MD5 hash of the DUP, I downloaded, is different than the one of Alex's.
>
> I think either Alex got a tampered DUP or the ftp.dell.com has problems while he downloading the DUP. 
>
>   


-- 
mailto:alex.dupuy at mac.com

More information about the Linux-PowerEdge mailing list