search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
22.46k stars 2.31k forks source link

SHA digests for *.pkg files are missing from shasums file in 5.1.0 release #22887

Open dgolovin opened 1 month ago

dgolovin commented 1 month ago

Issue Description

Cannot verify SHA digest after downloading packages for macOS from podman 5.1.0 release.

Steps to reproduce the issue

Steps to reproduce the issue:

  1. Opens shasum
  2. Search for .pkg

Describe the results you received

Describe the results you received

Can't find SHA256 sum for podman-installer-macos-amd64.pkg in:
496841ceb22fd418be966bd6ffc442d4c7ea130206c8e59678c0483371225e06  podman-remote-release-darwin_amd64.zip
509d565ed2d649965e2c9c604783207b5a504c2560385318279dd6863aa5df4f  podman-remote-release-darwin_arm64.zip
8e41862ebe5acaac703176d9e862600efef588976e3a40efb96e73c7198ec1e3  podman-remote-release-windows_amd64.zip
390b469745da1560d89abd45e5cc0b84484585b255465845020b0785bb30c51a  podman-remote-static-linux_amd64.tar.gz
ccb8a5fc2639c42e540ddbc17aeb6b73551d37645e56dd312c4c197568cee804  podman-remote-static-linux_arm64.tar.gz

Describe the results you expected

All installable files have SHA digest in shasums file

podman info output

N/A

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Github PR verification fails. See example here https://github.com/containers/podman-desktop/actions/runs/9355240785/job/25752785186

Blocks https://github.com/containers/podman-desktop/issues/7373

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

Luap99 commented 1 month ago

@ashley-cui @mheon PTAL

Looking at the github action setup it seems they have a vary obvious TOCTOU race regarding the artifact uploads. Because the several installers run in parallel they seems to download shasum file than append their new sums for the new files and then again upload it. If two tasks do this in parallel it can never work reliably.

ashley-cui commented 1 month ago

Manually updated the 5.1.0 shasum. I'll take this issue to update and fold all the upload actions into one, so we don't have this race.

github-actions[bot] commented 6 days ago

A friendly reminder that this issue had no activity for 30 days.