search

GoogleCloudPlatform / docker-credential-gcr

A Docker credential helper for GCR users
https://gcr.io
Apache License 2.0
289 stars 92 forks source link

All v2.0.4 binaries have unexpected SHA256 checksums #88

Closed micolous closed 3 years ago

micolous commented 3 years ago

I downloaded all builds from https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/tag/v2.0.4, and run sha256sum over them, and get:

$ sha256sum docker-credential-gcr_*
fb37bc90831807ccfda115fa8fbc27fd6564f085c5eb258962b3582b60e1ea71  docker-credential-gcr_darwin_amd64-2.0.4.tar.gz
170b3ce008d33caaf2347fb39b8ad23e6e3d9b00790304f531e6a37564806f41  docker-credential-gcr_darwin_arm64-2.0.4.tar.gz
932a07a4a77741801f2d4067dcf113be4e27f54c525f618f2dee2799a00765d6  docker-credential-gcr_linux_386-2.0.4.tar.gz
4fca8441c41802f4bcc4912672c55d4b1232decb90639f8a684d3b389e4e6e91  docker-credential-gcr_linux_amd64-2.0.4.tar.gz
9276eab0d6da985f01f5f0d6d00313c9a49768d4eb0112b5fb8b4fdda07d1f7d  docker-credential-gcr_linux_arm64-2.0.4.tar.gz
2a4e825b63c845d2e96d6d871926ef9c51a95a62a288b1e05b06019ededc7bd9  docker-credential-gcr_windows_386-2.0.4.tar.gz
fa8bd855ba23e7668b48381e8ac7ba2b42c311ae3c26b0ab662d5b212b25255d  docker-credential-gcr_windows_amd64-2.0.4.tar.gz

The expected checksums according to that page are:

docker-credential-gcr_darwin_amd64-2.0.4.tar.gz | 18ea62cf5335102e54081707b1098b419bf2c513141886862dc6eff3035b4a51
docker-credential-gcr_darwin_arm64-2.0.4.tar.gz | 56ef380ff4bf0647303ddba5ba526b5f47cd4e5504289b4d401532f8146dfe99
docker-credential-gcr_linux_386-2.0.4.tar.gz | 4828b961b720ce4c920e343649c1eb6f79f6476e829c85e37134d274a71d4648
docker-credential-gcr_linux_amd64-2.0.4.tar.gz | 716dd54138618abefe02e40197240864500f204ca58668295c49d8a72efbaae1
docker-credential-gcr_linux_arm64-2.0.4.tar.gz | 4a697b7040429844e71529aea6bc76afb53f52542e33c81f44143c1b33820cbb
docker-credential-gcr_windows_386-2.0.4.tar.gz | 913e4820caafae8f2b67a48a84174bcb9d6fbf3f2bf6e24ce6ddf949903f9d2b
docker-credential-gcr_windows_amd64-2.0.4.tar.gz | ee817ca49baf29284e7cac4f68dd33f2ad545591c622e16317e38bceb7b1d33f

I tested this on my local machine, and from a brand-new "Google Cloud Container Optimised Linux" instance, both show the same result.

jonjohnsonjr commented 3 years ago

@Gridasov any idea?

Gridasov commented 3 years ago

Tried to investigate it - probably it was copy-paste from the previous version. Thank you - updated the hashes.

Gridasov commented 3 years ago

Actually found the root cause. The sha256 were correct - they are for the binaries inside the archive. After extraction try "sha256sum ./docker-credential-gcr" - this should give you the required checksum.

micolous commented 3 years ago

This is not fixed – the hashes on that page are still wrong (it just says "binary sha256sum", which is ambiguous as the sha256sum command has a --binary option).

I'm not aware of any open source project that publishes checksums for what is inside a tarball, rather than the tarball itself.

Please consider publishing a checksum file that can be checked with sha256sum -c and including it in your release process.

Gridasov commented 3 years ago

Updated the release scripts, next time you will not see the binaries checksums) Forgot to update the release notes - done.