SHA changed on the release [SOLVED]

lzap · October 9, 2023, 6:39am

Hello,

I noticed that the SHA256 sum of the release for Mac has changed from 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6 to 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2.

Just wanted to let you know in case this is an unexpected change (security breach):

 % brew install defold
==> Downloading https://formulae.brew.sh/api/formula.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
########################################################################################################################################## 100.0%
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-x86_64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/8972847d-eff8-4275-9d99-ab1e92fc3154?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: 71af7002692cc68b8f2a4e152bfbd0b9828e2e377fb26a57c642206ce4a5ebc6
  Actual: 0310ecf9c2168263e63e037a33a6d6d39d5f12199026a75b6867d53d54ebd9f2
    File: /Users/lzap/Library/Caches/Homebrew/downloads/7d53e77fa9f0af34e1eba435a760f41f43dc0c63d105c987fdfb03646e4e8611--Defold-x86_64-macos.dmg
To retry an incomplete download, remove the file above.

lzap · October 9, 2023, 6:49am

Also reported on the brew side:

https://github.com/Homebrew/homebrew-cask/issues/157141

Pkeod · October 9, 2023, 7:10am

This explains it. Both arm and intel have their own hashes there now.

https://github.com/Homebrew/homebrew-cask/pull/157142/files

lzap · October 9, 2023, 7:30am

Ah sorry for the noise. Thanks.

lzap · October 9, 2023, 1:56pm

Okay you will not believe this, but after the homebrew PR was merged 1.6.0 release installers got refreshed and this time they have a different SHA for real?!

% brew install defold     
==> Downloading https://github.com/defold/defold/releases/download/1.6.0/Defold-arm64-macos.dmg
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/4315538/f402804a-bb0a-4444-8832-d6648084929b?X-
########################################################################################################################################## 100.0%
Error: SHA256 mismatch
Expected: b2a8793c365eca55cbcfa0809c21aff414c2d35597a6706b7d67881c5c293468
  Actual: 0314a6deb42d1a332f95a5f15876283cceea3b6fd8badd76b9537aa349c23f50

I can see there was an update few hours ago:

It happened around the same time when 1.6.1 alpha/beta got released. Maybe an accident? Or what am I doing wrong this time?

Mathias_Westerdahl · October 9, 2023, 2:00pm

I’m not sure how that brew install script works, but perhaps it’s a misunderstanding from the maintainer’s side.
We continuously update the release, thus changing the sha1.

You could perhaps add an issue to that maintainers repo?

lzap · October 9, 2023, 2:03pm

Oh that is quite interesting workflow. This will make particularly difficult to do packages downstream (brew, linux packages etc). Does this only happen for the latest release? Like if downstream stays one minor version older, it would work.

Mathias_Westerdahl · October 9, 2023, 2:08pm

It happens for the relevant channels (stable, beta and dev).
The sha is stored in the release info in github, so should be easy enough to parse?

lzap · October 9, 2023, 2:08pm

Yeah thanks, we will either parse or disable SHA check alltogether. Thanks.