search

notpeter / apple-installer-checksums

Checksums of Mac OSX installer DMGs
846 stars 107 forks source link

Add 10.6.3 (10D575) #125

Closed mrpapersonic closed 3 years ago

mrpapersonic commented 3 years ago

Ripped as a read-only DMG with Disk Utility.

markmentovai commented 3 years ago

Ripped from what?

1alessandro1 commented 3 years ago

Ripped as a read-only DMG with Disk Utility.

Hi, sorry but since that's not a standalone user-created image I don't think we can merge it into master, for Leopard or Snow Leopard the official SHA for the Golden master (10A432, accessible only if you have a paid developer account) I think is enough.

mrpapersonic commented 3 years ago

Hi, sorry but since that's not a standalone user-created image

It is, sorry that I didn't mention it. It's created from a disc of the second retail release of Snow Leopard (10.6.3).

markmentovai commented 3 years ago

It is, sorry that I didn't mention it. It's created from a disc of the second retail release of Snow Leopard (10.6.3).

Thanks for your proposed contribution and for your explanation.

We can’t accept hashes of user-created .dmg images, even from verified and authentic physical media. The .dmg format contains a variety of additional data beyond the content of the devices that it has imaged, and it’s possible to represent that additional data in essentially infinite different ways. Two .dmg files produced in this way may differ (and thus its hash will differ) when different OS versions are used to create them, and it’s even possible for them to differ (although, nowadays, usually not) when created by the same OS version and even the same computer.

In order for this to work, the hash must cover precisely the bits that Apple released, nothing more and nothing less. We’re fine to hash .dmg files when that’s what Apple has released. When all you have is physical media, you can’t wrap a .dmg around its contents, because you’re then hashing more than what Apple released. You could hash the entire device (for example, shasum /dev/disk2), and a hash should even agree between the physical media’s device node, a device node associated with an attached user-created .dmg around that same media, and hdiutil checksum -type {SHA1,SHA256} on that same disk image, but we’d need a decent note explaining the situation.

If we have any hashes in the list that were created from user-created .dmg files, we should remove them or replace them with something better.