rhash is failing verification on the new release

[georgettica]

Describe the bug

I have a tool that pulls the YQ version and checks it's rhash value for correctness.. for some reason the latest one is failing (the order of the hashes is incorrect on my machine)

to test locally:

docker run --rm -it debian
apt update && apt install curl jq rhash -y
YQ_URL="https://api.github.com/repos/mikefarah/yq/releases/latest"
curl -sSLf -O $(curl -sSLf ${YQ_URL} -o - | jq -r '.assets[] | select(.name|test("linux_amd64$")) | .browser_download_url')
curl -sSLf $(curl -sSLf ${YQ_URL} -o - | jq -r '.assets[] | select(.name|test("checksums$")) | .browser_download_url') -o checksums
rhash -a -c <( grep '^yq_linux_amd64 ' checksums )

--( Verifying XXX )------------------------------------------------------
yq_linux_amd64                                      ERR
--------------------------------------------------------------------------------
Errors Occurred: Errors:1   Miss:0   Success:0   Total:1

Additional context
I tried to compare the versions and found there were 10 checksums that were in the "incorrect" location. I also checked with upstream rhash and that didn't solve the issue

please let me know if there is additional info missing

[georgettica]

it seems that the diff in the hashes-order returned

diff checksums_hashes_order <( rhash --list-hashes) 
29a30,31
> BLAKE2S
> BLAKE2B

[georgettica]

in a more specific output:

# diff <(rhash -a yq_linux_amd64 | sed 's/ \+/\n/g') <(grep '^yq_linux_amd64 ' checksums  | sed 's/ \+/\n/g')
23c23
< 9b420ccbf19c99e68c04d51b7ab664b31a2250ba0573b846a507f82141483916a33cfbb51bbd4a5e1482ad535e7db7c3b280830007d0310604cceff9a4eda300
---
> a6426a054e64df1c721cc007b9e755137765d1ea1218707c473cd3951211c08870beb66738c5d74f7077aa5370f333fd5973cc5a12d114838907c5299e9e683d
31,32d30
< d9ad31881b4696f4400d1b98cd16fecf6ef23b3ac126b586caba10a649b1c4ae
< 59f892c43fb341d118c788258e2302cd00696effc4810c94ae86a97d5a65c8d658ac2e1ca9cfdce5759b1ee23e81a250499472f7de63a844c1558d52bebfec9d

[mikefarah]

That's annoying - which version of rhash are you using? I wonder if there's a way to specify the hash order given the checksum_hashes_order file that I generate.

That or perhaps you could use cut to select a specific hash (for the binary) and just check that - instead of checking them all.

[georgettica]

I found 1.4.0 worked :) the later ones did not (that was the best I could get :/

I had rhash in debian that failed, rhash in fedora that succeeded and rhash from source that failed

Rhash from source in the 1.4.0 branch succeeded

Also, I tried to remove hashes and I needed to cut more than 50% for it to succeed

Also, the test code I provided shows if fails (and runs in a container)

[georgettica]

@mikefarah ping?

[mikefarah]

Pong! Sorry been busy - looking at what the build process does, it apt-get rhash which gets the 1.3.9 version of rhash. Explains things. Let me see if I can bump it to the next version...

[mikefarah]

Thinking on this more, I think it would be better if I supplied a little script to extract the type of hash you want for the file you want. That way, it won't depend on which version of rhash people are using (or if they are using another tool).

See https://github.com/mikefarah/yq/blob/master/scripts/extract-checksum.sh

I'll update the next release to include this in the assets - but feel free to give it a try now.

[mikefarah]

So basically to validate you'd:

./extract-checksum.sh SHA-256 yq_linux_amd64.tar.gz | rhash -c -

[georgettica]

I'll try and pull all of the checkums I have.
Thanks!

[georgettica]

Oh, can the script recieve a list of checksums?

[mikefarah]

What do you mean?

[georgettica]

I mean, between releases the hash list changed in some sort.
I would like to print the hashes in the new versions order
Or read hashes in the old order

[mikefarah]

Yeah I was surprised that rhash couldn't take its own list-hashes as input when validating. Nonetheless, using this script you can reliably extract a particular hash for a supported algorithm.

…

________________________________ From: Ron Green ***@***.***> Sent: Friday, December 10, 2021 9:56:41 PM To: mikefarah/yq ***@***.***> Cc: Mike Farah ***@***.***>; Mention ***@***.***> Subject: Re: [mikefarah/yq] `rhash` is failing verification on the new release (Issue #1011) I mean, between releases the hash list changed in some sort. I would like to print the hashes in the new versions order Or read hashes in the old order — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1011 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAIZHNP7TA5SLX7FCQJ74SLUQHMGTANCNFSM5IQRA5ZA>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[mikefarah]

The script is now available in 4.16.2

[sigwinch28]

I don't like this. It feels like the equivalent of curl | bash... I have to run an unverified script in order to extract a checksum to verify the signature.