标题: "apt-get install"时遭遇"Hash Sum mismatch" 创建: 2018-06-01 16:39 更新: 2019-07-31 18:11 链接: https://scz.617.cn/unix/201806011639.txt 正在装ARM版的Debian 9.4。 $ vi /etc/apt/sources.list -------------------------------------------------------------------------- deb http://ftp.debian.org/debian/ stretch main non-free contrib deb-src http://ftp.debian.org/debian/ stretch main non-free contrib deb http://security.debian.org/debian-security stretch/updates main non-free contrib deb-src http://security.debian.org/debian-security stretch/updates main non-free contrib deb http://ftp.debian.org/debian/ stretch-updates main non-free contrib deb-src http://ftp.debian.org/debian/ stretch-updates main non-free contrib -------------------------------------------------------------------------- $ apt-get update -u $ apt-get install -------------------------------------------------------------------------- Get:1 http://security.debian.org/debian-security stretch/updates/main armhf libperl5.24 armhf 5.24.1-3+deb9u3 [2,859 kB] Err:1 http://security.debian.org/debian-security stretch/updates/main armhf libperl5.24 armhf 5.24.1-3+deb9u3 Hash Sum mismatch Hashes of expected file: - SHA256:6643caff8f9d653033c26efb60b786bc28224fb861156f77eb6d76aa41e74692 - SHA1:beb41a016e7d4c9fdfdb4a652afe78b3d2d1fc28 [weak] - MD5Sum:f9fc8d4da1fa5ba3cbf771687e9c3f41 [weak] - Filesize:2859010 [weak] Hashes of received file: - SHA256:a32c2cdc4fdf245fa6623e08e0938d2a40d0d48f27e37f25c2e5ec1c8311065b - SHA1:46a08c3d15be440391f03962e7058810e1262572 [weak] - MD5Sum:8e5c4b5fe58f18003d0fdcf82478aac4 [weak] - Filesize:2819404 [weak] Last modification reported: Mon, 23 Apr 2018 12:21:41 +0000 Fetched 2,819 kB in 4s (600 kB/s) E: Failed to fetch http://219.238.7.72/files/409100000BA7227D/mirrordirector.raspbian.org/raspbian/pool/main/p/perl/libperl5.24_5.24.1-3+deb9u3_armhf.deb Hash Sum mismatch Hashes of expected file: - SHA256:6643caff8f9d653033c26efb60b786bc28224fb861156f77eb6d76aa41e74692 - SHA1:beb41a016e7d4c9fdfdb4a652afe78b3d2d1fc28 [weak] - MD5Sum:f9fc8d4da1fa5ba3cbf771687e9c3f41 [weak] - Filesize:2859010 [weak] Hashes of received file: - SHA256:a32c2cdc4fdf245fa6623e08e0938d2a40d0d48f27e37f25c2e5ec1c8311065b - SHA1:46a08c3d15be440391f03962e7058810e1262572 [weak] - MD5Sum:8e5c4b5fe58f18003d0fdcf82478aac4 [weak] - Filesize:2819404 [weak] Last modification reported: Mon, 23 Apr 2018 12:21:41 +0000 E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing -------------------------------------------------------------------------- 错误信息表示,下载回来的文件大小、哈希值与预期不符。 219.238.x.x,眼熟不?过去我们将这一批IP称为"邪恶的Cache服务",针对它们可以 进行Cache投毒。其前世今身,有兴趣的自己去扒黑历史,此处不回顾、不展开。 这是正常的: $ curl -I http://security.debian.org/pool/updates/main/p/perl/libperl5.24_5.24.1-3+deb9u3_armhf.deb HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 08:11:53 GMT Server: Apache X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Referrer-Policy: no-referrer X-Xss-Protection: 1 Last-Modified: Fri, 13 Apr 2018 20:41:50 GMT ETag: "2ba002-569c0e6d5ea69" Accept-Ranges: bytes Content-Length: 2859010 Cache-Control: public, max-age=2592000 Expires: Fri, 01 Jun 2018 08:13:53 GMT X-Clacks-Overhead: GNU Terry Pratchett Content-Type: application/x-debian-package 这是由"邪恶的Cache服务"返回的: $ curl -I http://219.238.7.72/files/409100000BA7227D/mirrordirector.raspbian.org/raspbian/pool/main/p/perl/libperl5.24_5.24.1-3+deb9u3_armhf.deb HTTP/1.1 200 OK Server: nginx Date: Fri, 01 Jun 2018 07:41:07 GMT Content-Type: application/octet-stream Content-Length: 2819404 Last-Modified: Mon, 23 Apr 2018 12:21:41 GMT Connection: keep-alive Accept-Ranges: bytes 2011年的时候,至少这一批IP在其中: 219.239.26.0/24 218.249.165.0/24 124.193.109.0/24 话说当年非正常人类研究中心的被研究对象们,在研究这个邪恶的Cache服务时还下 载围观过若干不可描述的压缩包。 扯远了,回到正题,针对这次问题,我能想到的就是挂加密代理,或许有其他巧妙办 法,还请指点。 $ vi /etc/apt/apt.conf -------------------------------------------------------------------------- Acquire::http::proxy "http://:"; Acquire::https::proxy "https://:"; Acquire::socks::proxy "socks5://:"; -------------------------------------------------------------------------- $ apt-get install 实测无误。 刚才给逃离疯人院的前病友bluerust说这个坑,他说,这么多年过去了,我以为这种 缓冲投毒已经不再存在了。不知TK、小钻风等人看到这个,是否会回去翻看他们下载 围观过的若干不可描述的压缩包。我这么正经的人,跟他们几个不一样,当然只留了 一个EvilCache.py产生的result.txt,俱往矣。 2019-07-31 18:12 scz 可以用HTTPS $ aptitude install apt-transport-https $ vi /etc/apt/sources.list -------------------------------------------------------------------------- #deb http://ftp.debian.org/debian/ stretch main non-free contrib #deb-src http://ftp.debian.org/debian/ stretch main non-free contrib #deb http://ftp.debian.org/debian/ sid main non-free contrib #deb-src http://ftp.debian.org/debian/ sid main non-free contrib deb https://ftp.de.debian.org/debian/ sid main non-free contrib deb-src https://ftp.de.debian.org/debian/ sid main non-free contrib deb http://security.debian.org/debian-security stretch/updates main non-free contrib deb-src http://security.debian.org/debian-security stretch/updates main non-free contrib deb http://ftp.debian.org/debian/ stretch-updates main non-free contrib deb-src http://ftp.debian.org/debian/ stretch-updates main non-free contrib -------------------------------------------------------------------------- 注意,不是所有的源都支持HTTPS。 $ apt-get update -u -o Acquire::https::ftp.de.debian.org::Verify-Peer=false 如果不想在命令行上指定-o,可以修改apt.conf: $ vi /etc/apt/apt.conf -------------------------------------------------------------------------- Acquire::https::ftp.de.debian.org::Verify-Peer "false"; --------------------------------------------------------------------------