search

GeopJr / Collision

Check hashes for your files - A GUI tool to generate, compare and verify MD5, SHA-1, SHA-256, SHA-512, Blake3, CRC32 & Adler32 hashes.
https://collision.geopjr.dev
BSD 2-Clause "Simplified" License
146 stars 15 forks source link

[Bug]: Hash file check does not work in Collision #188

Closed CaptainMorgan12 closed 9 months ago

CaptainMorgan12 commented 9 months ago

Describe the bug

Could be a bug or feature. Not sure. Hash file check fails, tried multiple .iso or packaged image downloads of various linux distributions. Select file e.g. .iso, .img etc select sha256.sum text file. Observe it fails.

Steps To Reproduce

  1. download mint LMDE6
  2. save as sha256sum.txt
  3. save as sha256sum.txt.gpg
  4. open collision
  5. select hash tab and file downloaded in 2.
  6. select verify tab and file downloaded in 1.
  7. Verify

Fails sha256sum.txt

Logs and/or Screenshots

Screenshot from 2024-02-18 16-16-34

Operating System

Ubuntu 23.10 AMD64, Wayland

Package

Flatpak

Troubleshooting information

When i use NEMO and perform hash verification it succeeds. To make it work open sha256sum text file with hash corresponding to your downloaded iso: e7583d7428a36b54986d4bf29ebcc000f6959ee701c2379ca214fac6b32fe479 lmde-4-cinnamon-32bit.iso fb6fb4f507f1de979a8922f9e503ae0ad8109e87ea1a9a163a6b30f819971256 lmde-4-cinnamon-64bit.iso 1116d611be80ad496bdc5a7c0444f63564539891f2176f9b134ff9630c6b91c8 lmde-5-cinnamon-32bit.iso 8f351d30e97f3a9c3f3848fde781c7f3758abd0f8ddf120827d98a5832cfa027 lmde-5-cinnamon-64bit.iso *40a9988cc6edd253bff9fcab422aec1b2c81ab3aa4d34b91b08277592c5fab28 lmde-6-cinnamon-32bit.iso 96963cac1ac2ad4ba38414e618adbcdf64a6faadc33ddf53889fa3dc74d59df4 *lmde-6-cinnamon-64bit.iso

Select file and verify:

Succeeds

Additional Context

Collision: 3.7.1 I think what collision is doing is not verifying download against all hashes identified in the text file, and/or selecting the first, which doesnt match lmde-6.

What it should be doing is match the file name of downloaded file and parse the hash for the corresponding sha256 if more than one exists, as is the case for most downloaded repo image type files.

editing the sha256sum hash file to only have the following value: 40a9988cc6edd253bff9fcab422aec1b2c81ab3aa4d34b91b08277592c5fab28 also caused has verification failure so it could be a bug because I would think at least that works.

GeopJr commented 9 months ago

I'm currently downloading the iso to test it 1:1 but from the screenshot alone, the main issue I see is that you've opened the sha file and are testing it against the gpg file iso (?)

The workflow is supposed to be:

  1. You open the .iso with Collision
  2. You go to the Verify tab
  3. Select either another .iso file you want to check against or a file that has a list of hashes to check against (in your case you want to choose the sha256sum.txt)
GeopJr commented 9 months ago

I think you just did it in reverse, you are basically checking if the hash of sha256sum.txt (not the hashes inside it) match the .iso, when it should be the other way around (by opening the .iso as the main file)

GeopJr commented 9 months ago

image

CaptainMorgan12 commented 9 months ago

Ok got it so it is user error sorry about that. I was assuming the hash tab is for the hash file, from a UI perspective I was moving left to right, but selected the wrong file. I can confirm it worked when generating .iso hash and checking it against the sha256sum.text file as well.

GeopJr commented 9 months ago

Don't worry about it, it seems that it needs improvement, thanks for bringing it up!

CaptainMorgan12 commented 9 months ago

I think that would be easy to fix with a title change in "verify" tab instead of "File" maybe "Hash File" or something along those lines.