pagure

Clone

#3448 CHECKSUM on asc files are incorrect in freeipa project
Closed: Fixed 5 years ago Opened 5 years ago by rcritten.

Closed: Fixed
Reopen Issue

The checksums on the signatures (.asc) are incorrect in the freeipa project.

https://releases.pagure.org/freeipa/CHECKSUMS

A colleague has said that all of the signature checksums are off. Here are specifics for the latest release, 4.7.0:

From the link:
SHA256 (freeipa-4.7.0.tar.gz.asc) = c42611a5747c60f1ebebb8f40f0d99e76f90fe85b3e4fb776b0611e140112d1b
SHA512 (freeipa-4.7.0.tar.gz.asc) = c13fced1d485d513ae0bbbf7b0dfe74c913871d874d8150fb3a84b1b46aad6d071e7058ec950e34373d965955da36204c1a923c0d09f14f6a16ce262eb738e94

I see:

$ sha256sum freeipa-4.7.0.tar.gz.asc
eed9959a9e3a7ba3b91aa2a444163908610f41437e255137cc1389ef32f14e28 freeipa-4.7.0.tar.gz.asc
$ sha512sum freeipa-4.7.0.tar.gz.asc
7d6a224cc564bd96fa5bd4b89e4996b3b761348424d8719e2aea422371c53a5151c045666a7333d3ef081a3384a5c649096c1555f69312b66a38f14722b69725 freeipa-4.7.0.tar.gz.asc

On my laptop:

$ sha256sum freeipa-4.7.0.tar.gz.asc
eed9959a9e3a7ba3b91aa2a444163908610f41437e255137cc1389ef32f14e28  freeipa-4.7.0.tar.gz.asc

On the server:

# sha256sum freeipa-4.7.0.tar.gz.asc
eed9959a9e3a7ba3b91aa2a444163908610f41437e255137cc1389ef32f14e28  freeipa-4.7.0.tar.gz.asc

So, I think it's some in the python algorythm used: https://pagure.io/pagure/blob/master/f/pagure/lib/tasks.py#_784-820

Metadata Update from @pingou:
- Issue tagged with: bug
5 years ago

Test script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/python

# Run as: python <script> <target1> <target2>

import hashlib
import os
import sys


algos = {
    'sha256': hashlib.sha256(),
    'sha512': hashlib.sha512(),
}


for filename in sys.argv[1:]:
    # for each files computes the different algorythm supported
    with open(filename, "rb") as stream:
        while True:
            buf = stream.read(2 * 2 ** 10)
            if buf:
                for hasher in algos.values():
                    hasher.update(buf)
            else:
                break

    for algo in sorted(algos):
        print('%s (%s) = %s\n' % (
            algo.upper(), filename, algos[algo].hexdigest()))

Running it on my laptop:

$ python hash_files.py freeipa-4.7.0.tar.gz.asc
SHA256 (freeipa-4.7.0.tar.gz.asc) = eed9959a9e3a7ba3b91aa2a444163908610f41437e255137cc1389ef32f14e28
SHA512 (freeipa-4.7.0.tar.gz.asc) = 7d6a224cc564bd96fa5bd4b89e4996b3b761348424d8719e2aea422371c53a5151c045666a7333d3ef081a3384a5c649096c1555f69312b66a38f14722b69725

Running it on the server:

# python ~/hash_files.py ../freeipa/freeipa-4.7.0.tar.gz.asc
SHA256 (freeipa-4.7.0.tar.gz.asc) = eed9959a9e3a7ba3b91aa2a444163908610f41437e255137cc1389ef32f14e28
SHA512 (freeipa-4.7.0.tar.gz.asc) = 7d6a224cc564bd96fa5bd4b89e4996b3b761348424d8719e2aea422371c53a5151c045666a7333d3ef081a3384a5c649096c1555f69312b66a38f14722b69725

Conclusion: hmm....

I found it :)

(CHECKSUMS file re-generated for you, going to hotfix the fix in prod and submit a PR)

Commit 28a8734 fixes this issue

Login to comment on this ticket.

Metadata
None

bug

None
None
None
None
Related Pull Requests
  • #3450 Merged 5 years ago
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.