Path inside SHA256 checksum file changed

[GuybrushX]

Summary

• Looks like the build process changed somehow because the path inside the SHA256 checksum file changed.

Steps to Reproduce

[Please use step-by bullet points to help the team reproduce the bug]

• Use this helpful tool to upgrade your a node to 4.0.5: https://github.com/sandrich/definode_upgrade/

The upgrade will fail because the SHA256 file changed the path.

# 4.0.3:
124c0d5bb78193c05f7872bcd7a9fbf18d54cddf80b9bc1fffd1def582ef064e  ./defichain-4.0.0-x86_64-pc-linux-gnu.tar.gz

# 4.0.5:
c653c7591f26906fed1f766e7f3209657430de8466b26014b4c6cae42bfe5559  /__w/ain/ain/build/defichain-4.0.5-x86_64-pc-linux-gnu.tar.gz

-> Scary fact: it looks like nobody is checking the checksum of what they are downloading... This can easily become a really big issue in case compromised binaries are distributed for whatever reason.

Environment

[Please fill all of the following or NA if not applicable]

• Node Version: defichain-4.0.5-x86_64-pc-linux-gnu.tar.gz[.SHA256]
• Block height on bug if applicable: NA
• TX or TX type on bug if applicable: NA
• OS with version: NA
• Any other relevant environment info: NA

[luckythai]

But you don't have to create this path in the user directory /__w/ain/ain/build/ and immediately download the tar.gz there with wget. Call the sha256 from anywhere. If you copy the sha256 there straight away, you can continue to use it as is, even if the path no longer exists in newer versions. However, the checksum is valid and can also be carried out when copying into the correct path.

du musst aber nicht im userverzeichnis diesen pfad anlegen /__w/ain/ain/build/
und dort gleich mit wget die tar.gz runterladen. die sha256 von beliebieger stelle aufrufen. wenn du die sha256 auch gleich dort hin kopierst kannst du sie auch weiterhin so verwenden wenn auch keine pfadangabe mehr bei neueren versionen existiert. Die Prüfsumme ist aber gütig und beim kopieren in den richtigen Pfad auch durchführbar.