-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checksums not to be found? #2826
Comments
I had a quick look at https://github.com/balena-io/etcher/releases/tag/v1.5.45 and it seems like there are checksums inside the @zvin Maybe it'd be useful to have the CI process collate them into a single |
A central location would be ideal, but that's not the checksum in latest.yml, it's the checksum in binary piped through base64. This is the sha512 checksum : The value in latest.yml is the checksum (in binary) encoded in base64 :
IMO, ideally the |
[robertgzr] This issue has attached support thread https://jel.ly.fish/#/support-thread~a8289a98-5d41-46d0-becd-146936f96705 |
[gelbal] This issue has attached support thread https://jel.ly.fish/0c3da8aa-fa70-453b-a0b7-96aeab0abf5c |
Looking at the |
[thundron] This issue has attached support thread https://jel.ly.fish/50cb2ddc-2029-49ac-ba0a-52b5b98f9ee5 |
Can there just be a page where you can view the checksums? |
what's the big deal? Such a trivial thing to post checksums along with the releases ... on macos I only can see sha512 for a zip file not the actual .dmg file fix this please, it's trivial |
How do I verify balenaEtcher hash. |
Please provide SHA256 checksum files, it can be an automated step during build. |
VSCodium what is it? Is it like VIM? @balena-ci @balena-deploy hire me, I will do this dirty work for minimum wage coz I dig your products and woud love to work more on them ! :)) one call and you’ll see?
|
Someone over there thinks it's a good idea to obfuscate hashes with base64... or just use base64 as a "hash"... I don't see any clear instructions on how the .yml values are generated, so I can't even reproduce whatever that value is (let alone verify that process actually purports to do what they intend). So whatever the .yml values are there for, it's a waste of time. I can't trust the integrity of your binaries and I seriously doubt the security competence of whoever thought this was a good idea. It takes all of what, 10 minutes to generate and post legitimate hashes of all your stuff? If you don't value the trust of your users, I wish you a speedy failure and may a more trustworthy utility absorb your user base. |
@sadtank thanks for your input. You're entitled to your opinion but this is not a forum or IRC -- please be civil and refrain from posting unconstructive comments. |
Been a documented issue for 3 ish years? What's being done? Posting hashes? Working on signatures? Will you (they) post how to derive the encoded value in the .yml files? |
Not sure what the expectation is here -- that someone at balena should jump to cater to every issue reported? Evidently, it is currently not a priority, thus it isn't being worked on. Honestly, we've got much bigger fish to fry. If it's so annoying to you, please take a moment or two and share a PR. Again, this is not a forum for lightweight discussion -- if this continues I'll lock the issue since clearly there's not much further to discuss than "this feature does not exist, please add it". |
It's not really a feature though... It's really a 5 minute operation as part of publishing a new version. So instead of tracking here as a dev issue maybe it's a simple process improvement... Won't be hard to add that to the publishing process, right? No dev needed. It's a long shot: As a member, would you be able to run a single command for me against a known-good binary on your end... that would be something. Can you attest that one/both of these hashes are valid for this image? (or post those of any other recent x64 linux version? $ sha256sum balenaEtcher-1.18.11-x64.AppImage $ sha512sum balenaEtcher-1.18.11-x64.AppImage |
I would keep the sha256 or sha512 hashes in a normal hash file (NOT base64 encoded) in plaintext. Format being, for example:
|
open a PR to fix your CI ? Might work if you’re using github actions I guess (not sure and not on pc to check right now). |
I donnow... the timeline of this issue, these answers... almost like they don't want our trust... lol. oops, sorry, not an IRC... |
lm tell you a secret - this is actually a netcat chat over websockets !
|
Thanks for your input folks -- point taken. We'll take a look as soon as we get a chance. I'm locking this convo. |
Hello, there are a few references to verifying these releases in different issues, but the current release's checksum is either an HTTP 406 error or Not Found.
https://github.com/balena-io/etcher/releases/download/v1.5.45/SHASUMS256.txt
Are the checksums still on GitHub? If so, where?
The text was updated successfully, but these errors were encountered: