SHA changed on the release [SOLVED]

lzap · October 9, 2023, 12:46pm

Hello,

I noticed that the SHA256 sum of the release for Mac has changed from 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6 to 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2.

Just wanted to let you know in case this is an unexpected change (security breach):

 % brew install defold
==> Downloading https://formulae.brew.sh/api/formula.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/8972847d-eff8-4275-9d99-ab1e92fc3154?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6
  Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2
    File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
To retry an incomplete download, remove the file above.

lzap · October 9, 2023, 6:49am

Also reported on the brew side:

github.com/Homebrew/homebrew-cask

Defold 1.6.0 SHA256 changed

opened 06:43AM - 09 Oct 23 UTC

lzap

### Verification - [X] I understand that [if I ignore these instructions, my is…sue may be closed without review](https://github.com/Homebrew/homebrew-cask/blob/master/doc/faq/closing_issues_without_review.md). - [X] I have retried my command with `--force`. - [X] I ran `brew update-reset && brew update` and retried my command. - [X] I ran `brew doctor`, fixed as many issues as possible and retried my command. - [X] I have checked the instructions for [reporting bugs](https://github.com/Homebrew/homebrew-cask#reporting-bugs). - [X] I made doubly sure this is not a [checksum does not match](https://docs.brew.sh/Common-Issues#cask---checksum-does-not-match) error. ### Description of issue Something changed: ``` % brew install defold ==> Downloading https://formulae.brew.sh/api/formula.jws.json ########################################################################################################################################## 100.0% ==> Downloading https://formulae.brew.sh/api/cask.jws.json ########################################################################################################################################## 100.0% ==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg ==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/8972847d-eff8-4275-9d99-ab1e92fc3154?X- ########################################################################################################################################## 100.0% Error: SHA256 mismatch Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6 Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2 File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg To retry an incomplete download, remove the file above. ``` Noticed Defold developers as well: https://forum.defold.com/t/sha-changed-on-the-release/74454 Tried to redownload several times, not sure what is going on. @chenrui333 ### Command that failed brew install defold ### Output of command with `--verbose --debug` ```shell % brew install defold --verbose --debug /opt/homebrew/Library/Homebrew/brew.rb (Cask::CaskLoader::FromAPILoader): loading defold ==> Cask::Installer#install ==> Printing caveats ==> Cask::Installer#fetch ==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg /usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.1.14\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 14.0\)\ curl/8.1.2 --header Accept-Language:\ en --retry 3 --fail --location --silent --head https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg Already downloaded: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg ==> Checking quarantine support /usr/bin/env /usr/bin/xattr -h /usr/bin/env /usr/bin/swift -target arm64-apple-macosx14 /opt/homebrew/Library/Homebrew/cask/utils/quarantine.swift ==> Quarantine is available. ==> Verifying Gatekeeper status of /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg /usr/bin/env /usr/bin/xattr -p com.apple.quarantine /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg ==> /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg is quarantined ==> Verifying checksum for '7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg' Error: SHA256 mismatch Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6 Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2 File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg To retry an incomplete download, remove the file above. /opt/homebrew/Library/Homebrew/extend/pathname.rb:288:in `verify_checksum' /opt/homebrew/Library/Homebrew/downloadable.rb:101:in `verify_download_integrity' /opt/homebrew/Library/Homebrew/cask/download.rb:85:in `verify_download_integrity' /opt/homebrew/Library/Homebrew/cask/download.rb:64:in `fetch' /opt/homebrew/Library/Homebrew/cask/installer.rb:167:in `download' /opt/homebrew/Library/Homebrew/cask/installer.rb:70:in `fetch' /opt/homebrew/Library/Homebrew/cask/installer.rb:99:in `install' /opt/homebrew/Library/Homebrew/cmd/install.rb:244:in `block in install' /opt/homebrew/Library/Homebrew/cmd/install.rb:233:in `each' /opt/homebrew/Library/Homebrew/cmd/install.rb:233:in `install' /opt/homebrew/Library/Homebrew/brew.rb:86:in `<main>' ``` ``` ### Output of `brew doctor` and `brew config` ```shell % brew config HOMEBREW_VERSION: 4.1.14 ORIGIN: https://github.com/Homebrew/brew HEAD: affc4c01aada2c973b63e084e7696e896edf2b7b Last commit: 8 days ago Core tap JSON: 09 Oct 06:33 UTC HOMEBREW_PREFIX: /opt/homebrew HOMEBREW_CASK_OPTS: [] HOMEBREW_MAKE_JOBS: 10 Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby CPU: 10-core 64-bit arm_firestorm_icestorm Clang: 15.0.0 build 1500 Git: 2.42.0 => /opt/homebrew/bin/git Curl: 8.1.2 => /usr/bin/curl macOS: 14.0-arm64 CLT: 15.0.0.0.1.1694021235 Xcode: N/A Rosetta 2: false ``` ### Output of `brew tap` ```shell % brew tap homebrew/services ```

Pkeod · October 9, 2023, 7:10am

This explains it. Both arm and intel have their own hashes there now.

lzap · October 9, 2023, 7:30am

Ah sorry for the noise. Thanks.

lzap · October 9, 2023, 1:56pm

Okay you will not believe this, but after the homebrew PR was merged 1.6.0 release installers got refreshed and this time they have a different SHA for real?!

% brew install defold     
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-arm64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/f402804a-bb0a-4444-8832-d6648084929b?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: b2a8793c365eca55cbcfa0809c21aff414c2d35597a6706b7d67881c5c293468
  Actual: 0314a6deb42d1a332f95a5f15876283cceea3b6fd8badd76b9537aa349c23f50

I can see there was an update few hours ago:

It happened around the same time when 1.6.1 alpha/beta got released. Maybe an accident? Or what am I doing wrong this time?

Mathias_Westerdahl · October 9, 2023, 2:00pm

I’m not sure how that brew install script works, but perhaps it’s a misunderstanding from the maintainer’s side.
We continuously update the release, thus changing the sha1.

You could perhaps add an issue to that maintainers repo?

lzap · October 9, 2023, 2:03pm

Oh that is quite interesting workflow. This will make particularly difficult to do packages downstream (brew, linux packages etc). Does this only happen for the latest release? Like if downstream stays one minor version older, it would work.

Mathias_Westerdahl · October 9, 2023, 2:08pm

It happens for the relevant channels (stable, beta and dev).
The sha is stored in the release info in github, so should be easy enough to parse?

lzap · October 9, 2023, 2:08pm

Yeah thanks, we will either parse or disable SHA check alltogether. Thanks.