lzap
October 9, 2023, 6:39am
1
Hello,
I noticed that the SHA256 sum of the release for Mac has changed from 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6 to 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2.
Just wanted to let you know in case this is an unexpected change (security breach):
% brew install defold
==> Downloading https://formulae.brew.sh/api/formula.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/8972847d-eff8-4275-9d99-ab1e92fc3154?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6
Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2
File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
To retry an incomplete download, remove the file above.
lzap
October 9, 2023, 6:49am
2
Also reported on the brew side:
opened 06:43AM - 09 Oct 23 UTC
### Verification
- [X] I understand that [if I ignore these instructions, my is… sue may be closed without review](https://github.com/Homebrew/homebrew-cask/blob/master/doc/faq/closing_issues_without_review.md).
- [X] I have retried my command with `--force`.
- [X] I ran `brew update-reset && brew update` and retried my command.
- [X] I ran `brew doctor`, fixed as many issues as possible and retried my command.
- [X] I have checked the instructions for [reporting bugs](https://github.com/Homebrew/homebrew-cask#reporting-bugs).
- [X] I made doubly sure this is not a [checksum does not match](https://docs.brew.sh/Common-Issues#cask---checksum-does-not-match) error.
### Description of issue
Something changed:
```
% brew install defold
==> Downloading https://formulae.brew.sh/api/formula.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/8972847d-eff8-4275-9d99-ab1e92fc3154?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6
Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2
File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
To retry an incomplete download, remove the file above.
```
Noticed Defold developers as well:
https://forum.defold.com/t/sha-changed-on-the-release/74454
Tried to redownload several times, not sure what is going on. @chenrui333
### Command that failed
brew install defold
### Output of command with `--verbose --debug`
```shell
% brew install defold --verbose --debug
/opt/homebrew/Library/Homebrew/brew.rb (Cask::CaskLoader::FromAPILoader): loading defold
==> Cask::Installer#install
==> Printing caveats
==> Cask::Installer#fetch
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg
/usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.1.14\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 14.0\)\ curl/8.1.2 --header Accept-Language:\ en --retry 3 --fail --location --silent --head https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg
Already downloaded: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
==> Checking quarantine support
/usr/bin/env /usr/bin/xattr -h
/usr/bin/env /usr/bin/swift -target arm64-apple-macosx14 /opt/homebrew/Library/Homebrew/cask/utils/quarantine.swift
==> Quarantine is available.
==> Verifying Gatekeeper status of /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
/usr/bin/env /usr/bin/xattr -p com.apple.quarantine /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
==> /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg is quarantined
==> Verifying checksum for '7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg'
Error: SHA256 mismatch
Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6
Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2
File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
To retry an incomplete download, remove the file above.
/opt/homebrew/Library/Homebrew/extend/pathname.rb:288:in `verify_checksum'
/opt/homebrew/Library/Homebrew/downloadable.rb:101:in `verify_download_integrity'
/opt/homebrew/Library/Homebrew/cask/download.rb:85:in `verify_download_integrity'
/opt/homebrew/Library/Homebrew/cask/download.rb:64:in `fetch'
/opt/homebrew/Library/Homebrew/cask/installer.rb:167:in `download'
/opt/homebrew/Library/Homebrew/cask/installer.rb:70:in `fetch'
/opt/homebrew/Library/Homebrew/cask/installer.rb:99:in `install'
/opt/homebrew/Library/Homebrew/cmd/install.rb:244:in `block in install'
/opt/homebrew/Library/Homebrew/cmd/install.rb:233:in `each'
/opt/homebrew/Library/Homebrew/cmd/install.rb:233:in `install'
/opt/homebrew/Library/Homebrew/brew.rb:86:in `<main>'
```
```
### Output of `brew doctor` and `brew config`
```shell
% brew config
HOMEBREW_VERSION: 4.1.14
ORIGIN: https://github.com/Homebrew/brew
HEAD: affc4c01aada2c973b63e084e7696e896edf2b7b
Last commit: 8 days ago
Core tap JSON: 09 Oct 06:33 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.42.0 => /opt/homebrew/bin/git
Curl: 8.1.2 => /usr/bin/curl
macOS: 14.0-arm64
CLT: 15.0.0.0.1.1694021235
Xcode: N/A
Rosetta 2: false
```
### Output of `brew tap`
```shell
% brew tap
homebrew/services
```
Pkeod
October 9, 2023, 7:10am
3
This explains it. Both arm and intel have their own hashes there now.
Homebrew:master ← miccal:bump-defold-1.6.0
opened 06:49AM - 09 Oct 23 UTC
Created with `brew bump-cask-pr`.
1 Like
lzap
October 9, 2023, 7:30am
4
Ah sorry for the noise. Thanks.
1 Like
lzap
October 9, 2023, 1:56pm
5
Okay you will not believe this, but after the homebrew PR was merged 1.6.0 release installers got refreshed and this time they have a different SHA for real?!
% brew install defold
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-arm64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/f402804a-bb0a-4444-8832-d6648084929b?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: b2a8793c365eca55cbcfa0809c21aff414c2d35597a6706b7d67881c5c293468
Actual: 0314a6deb42d1a332f95a5f15876283cceea3b6fd8badd76b9537aa349c23f50
I can see there was an update few hours ago:
It happened around the same time when 1.6.1 alpha/beta got released. Maybe an accident? Or what am I doing wrong this time?
I’m not sure how that brew install script works, but perhaps it’s a misunderstanding from the maintainer’s side.
You could perhaps add an issue to that maintainers repo?
lzap
October 9, 2023, 2:03pm
7
Oh that is quite interesting workflow. This will make particularly difficult to do packages downstream (brew, linux packages etc). Does this only happen for the latest release? Like if downstream stays one minor version older, it would work.
It happens for the relevant channels (stable, beta and dev).
lzap
October 9, 2023, 2:08pm
9
Yeah thanks, we will either parse or disable SHA check alltogether. Thanks.
1 Like
