All of lore.kernel.org
 help / color / mirror / Atom feed
From: Danilo Bargen <mail@dbrgn.ch>
To: buildroot@buildroot.org
Subject: [Buildroot] Hash verification from GitHub
Date: Sun, 16 Jan 2022 23:04:04 +0100	[thread overview]
Message-ID: <20220116230404.71f68dbb@c3po> (raw)

Hello folks

I'm trying to create a new buildroot package (my first one). This is
what the makefile (tealdeer.mk) looks like:

  TEALDEER_VERSION = 1.5.0
  TEALDEER_SITE = $(call github,dbrgn,tealdeer,v$(TEALDEER_VERSION))
  TEALDEER_LICENSE = Apache-2.0 or MIT
  TEALDEER_LICENSE_FILES = LICENSE-APACHE LICENSE-MIT
  $(eval $(cargo-package))

The URL should expand to
https://github.com/dbrgn/tealdeer/archive/v1.5.0/tealdeer-1.5.0.tar.gz.
To generate the checksum, I ran:

  $ sha256sum tealdeer-1.5.0.tar.gz
  00902a50373ab75fedec4578c6c2c02523fad435486918ad9a86ed01f804358a  tealdeer-1.5.0.tar.gz

I also added a hash file (tealdeer.hash):

  # Locally generated
  sha256  00902a50373ab75fedec4578c6c2c02523fad435486918ad9a86ed01f804358a  tealdeer-1.5.0.tar.gz
  sha256  62c7a1e35f56406896d7aa7ca52d0cc0d272ac022b5d2796e7d6905db8a3636a  LICENSE-APACHE
  sha256  a313b5e62b80a08f3aae0fa62ff3de8482ef55247299eb352ab44f87ef456b1b  LICENSE-MIT

When building this package, checksum verification fails every time.

  ERROR: tealdeer-1.5.0.tar.gz has wrong sha256 hash:
  ERROR: expected: 00902a50373ab75fedec4578c6c2c02523fad435486918ad9a86ed01f804358a
  ERROR: got     : 42febf9ee84721b9230077d62e2fc51201fd59624d3c776ccc1a634788768a60
  ERROR: Incomplete download, or man-in-the-middle (MITM) attack

No matter how I download the file (via wget, through the GitHub web UI,
etc), it always results in the SHA256 checksum starting with 009...,
but buildroot always thinks it should be 42f... I also tried changing
the TEALDEER_SITE variable as follows:

  TEALDEER_SITE = https://github.com/dbrgn/tealdeer/archive/v$(TEALDEER_VERSION)

...to ensure that this URL is *really* being downloaded, but it fails
every time.

Full build log can be found here:
https://gist.github.com/dbrgn/cc9e96051a079f5b63c531ca3c195954

Does someone have any pointers why the hash verification would fail in
this case? It must be some obvious mistake I'm making, but I cannot
figure out what it is.

Best regards,
Danilo Bargen
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

             reply	other threads:[~2022-01-16 22:04 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-16 22:04 Danilo Bargen [this message]
2022-01-16 22:14 ` [Buildroot] Hash verification from GitHub James Hilliard
2022-01-16 22:37   ` Danilo Bargen
2022-01-16 22:51     ` James Hilliard
2022-01-17 10:17       ` Yann E. MORIN
2022-01-17 10:24         ` Danilo Bargen
2022-01-17 10:32           ` Yann E. MORIN
2022-01-17 15:54             ` Yann E. MORIN
2022-01-17 16:06           ` Yann E. MORIN

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220116230404.71f68dbb@c3po \
    --to=mail@dbrgn.ch \
    --cc=buildroot@buildroot.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.