dotnet v1 checksum is wrong

[mattwynne]

The nightly build started failing 12 days ago:

------
 > [linux/amd64 16/37] RUN curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh     && echo "25b457ce8170a34f74649632660c40a5cfd355a1  dotnet-install.sh" | sha1sum -c --quiet -     && cat dotnet-install.sh | bash -s -- -c 5.0 --install-dir /usr/share/dotnet     && ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet     && rm dotnet-install.sh:
#23 0.595 dotnet-install.sh: FAILED
#23 0.596 sha1sum: WARNING: 1 computed checksum did NOT match
------
Dockerfile:146
--------------------
 145 |     
 146 | >>> RUN curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh \
 147 | >>>     && echo "25b457ce8170a34f74649632660c40a5cfd355a1  dotnet-install.sh" | sha1sum -c --quiet - \ 
 148 | >>>     && cat dotnet-install.sh | bash -s -- -c $DOTNET_SDK_VERSION --install-dir /usr/share/dotnet \
 149 | >>>     && ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \
 150 | >>>     && rm dotnet-install.sh
 151 |     
--------------------
error: failed to solve: process "/bin/sh -c curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh     && echo \"25b457ce8170a34f74649632660c40a5cfd355a1  dotnet-install.sh\" | sha1sum -c --quiet -     && cat dotnet-install.sh | bash -s -- -c $DOTNET_SDK_VERSION --install-dir /usr/share/dotnet     && ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet     && rm dotnet-install.sh" did not complete successfully: exit code: 1
make: *** [Makefile:10: /tmp/.buildx-cache-new/index.json] Error 1

Has there been a new release of dotnet v1?

[mattwynne]

@gasparnagy can you help with this? Should we just update our checksum to whatever is now coming down from that original URL?

[mattwynne]

Doesn't look like there's been a dotnet v1 release for a while: https://dotnet.microsoft.com/download/dotnet/1.1

[mpkorstanje]

Because we're doing curl-pipe-bash with this you should download the script, check the sha1, read the script to see what it does. If that checks out you can update to the sha1 of the file you just checked.

If not \<play law and order tune>.

[mpkorstanje]

And I believe this is the source of the script. Seems to get regular updates.

https://github.com/dotnet/install-scripts

[mpkorstanje]

When updating also consider using sha256 instead. sha1 is getting old.

[gasparnagy]

@mattwynne i checked it: the source of the latest .NET install scripts are currently (always) at: https://dot.net/v1/dotnet-install.sh. Don't be confused, the v1 in the URL does not mean .NET 1. Actually this is just a script that can install even different versions of .NET. (It installs .NET 5 by default.)

The checksum checking is something that we added to the process. (I guess to avoid accessing a malicious script though invalid DNS entries). As @mpkorstanje mentioned, this has regular updates, so hard coding the checksum is not that useful, espcially because this is an 1500+ lines of script, so it is not that easy to verify whether a checksum change is problematic or not.

I think we have 3 options:

1) Remove the checksum verification -- this runs on the build, is someone can hack the DNS setting there, they can do other things as well. On the other hand, this is a public URL maintained by Microsoft - not very likely that we will be the target if it is ever going to be hacked. 2) Download the script and add it to the repository. Most probably the regular updates will not have a direct impact on us (or we will see if they do), so using the current version of the script for longer time is probably fine. 3) Update the checksum for the current one and postpone the problem for the next script update... :)

[mpkorstanje]

Wouldn't be the first time a script is changed on the server that hosts it.

https://about.codecov.io/security-update/

And with the source available it shouldn't be too difficult to check the differences.

[mattwynne]

Let's download the script and add it to the repo.