Cookbook requires SHA-256, but our downloads page only provides SHA1

chef-boneyard / push-jobs-cookbook

Development repository for Chef Cookbook push-jobs

https://supermarket.chef.io/cookbooks/push-jobs

Apache License 2.0

21 stars 43 forks source link

Cookbook requires SHA-256, but our downloads page only provides SHA1 #31

Closed markan closed 8 years ago

markan commented 9 years ago

In https://github.com/chef/chef/issues/3302, a user notes that the cookbook requires a SHA256 checksum, but the web page provides a SHA1 instead.

Specifically the cookbook has the parameter: node.set['push_jobs']['package_checksum'] = "a-sha256-checksum" But the web page http://downloads.chef.io/push-jobs-client/redhat/#/ only provides SHA1

The short term workaround is to download manually, verify the SHA1 checksum, compute the SHA256 checksum, and insert that into the cookbook. That is ugly.

We should change the cookbook to allow usage of SHA1, or (better) provide stronger checksums on the download page.

jai11 commented 9 years ago

Thanks,

For time being can you please let me know what is the SHA256 for this rpm .

https://opscode-private-chef.s3.amazonaws.com/el/6/x86_64/opscode-push-jobs-client-1.1.5-1.el6.x86_64.rpm

That will be of great help.

jai11 commented 9 years ago

Also Can you please let me know the work around exact steps.

jtimberman commented 9 years ago

@manderson26 It's not really the cookbook that uses SHA256 specifically, it's Chef's remote_file resource. Early on we made a decision to use SHA256 as the checksums for file resources.

There's two things we need to do to resolve this "the right way", IMO:

get push-jobs-client into the Package Cloud repository
add sha256 checksums to the downloads page

We already have SHA256 checksums from omnitruck for other projects. I don't see a metadata endpoint for push-jobs-client though. It would be good, I think, to have the packages available through omnitruck. It would be best to install from Package Cloud of course, and then we don't need the remote_file/package dance, and can just enable the repo and install the package.

docwhat commented 9 years ago

@jtimberman and @manderson26 -- In addition, the .rpm isn't signed... which means if you put it in your own repository for easy distribution it can't be installed with gpgcheck=1 set. :cry:

alexpop commented 9 years ago

@jai11 and others looking after the SHA256 checksum. Here's how to get it from the command line in OSX:

[11:28:42 ~/chef-kits/chef]$ shasum -a 256 ./opscode-push-jobs-client-1.1.5-1.el6.x86_64.rpm
f5e6be32f60b689e999dcdceb102371a4ab21e5a1bb6fb69ff4b2243a7185d84  ./opscode-push-jobs-client-1.1.5-1.el6.x86_64.rpm

and CentOS:

[root@vagrant-local-linux ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root@vagrant-local-linux ~]# sha256sum ./opscode-push-jobs-client-1.1.5-1.el6.x86_64.rpm
f5e6be32f60b689e999dcdceb102371a4ab21e5a1bb6fb69ff4b2243a7185d84  ./opscode-push-jobs-client-1.1.5-1.el6.x86_64.rpm

mknapik commented 8 years ago

:+1: for adding SHA256 on the download page. :+1: :+1: for providing the package in native linux distribution repositories.

mmzyk commented 8 years ago

The download page now provides the SHA256 checksum and this is no longer an issue.