Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store binary checksums alongside with files being released #811

Open
artyomsol opened this issue Jul 27, 2018 · 10 comments
Open

Store binary checksums alongside with files being released #811

artyomsol opened this issue Jul 27, 2018 · 10 comments
Labels
downloads feature

Comments

@artyomsol
Copy link

downloads.getmonero.org holds historical releases for some reasons, but canonical PGP-singed checksums https://getmonero.org/downloads/hashes.txt are for the last one release (tough it mentioned on every release note on github for all versions the same).
If previous releases are need to be available they must be provided with signed hashes files for every single version.
It would be convenient to have them at the same resource as a binaries are.
@el00ruobuob
Copy link
Contributor

The old release are not removed from the website, but they are not available through any link on downloads.getmonero.org.
So, i do not believe we should offer the pgp hash from the website itself. Perhaps should we remove the old binaries.

@artyomsol
Copy link
Author

@el00ruobuob Old release files referenced to the downloads.getmonero.org by github release pages (i.e. https://github.com/monero-project/monero/releases/tag/v0.12.2.0). Where last paragraf states:

A GPG-signed list of the hashes is at https://getmonero.org/downloads/hashes.txt and should be treated as canonical, with the signature checked against the appropriate GPG key in the source code (in /utils/gpg_keys)

@binaryFate
Copy link
Contributor

Note that you can check the git history of hashes.txt for any past version. On github it's at https://github.com/monero-project/monero-site/commits/master/downloads/hashes.txt

@KunNw0n
Copy link

KunNw0n commented May 17, 2021

Note that you can check the git history of hashes.txt for any past version.

Yeap. That is exactly what I am doing for instance to verify hashes of recent releases

  set -exu; \
  xmrArch="monero-linux-x64-v${XMR_VERSION}.tar.bz2"; \
  curl -SLO https://downloads.getmonero.org/cli/$xmrArch; \
# scan canonical downloads/hashes.txt for latest signed checksum
  curl -sSL "https://github.com/monero-project/monero-site/commits/master/downloads/hashes.txt" | \
    sed -nE 's;^.*href="/monero-project/monero-site/commit/([a-f0-9]{40})#diff-.*$;\1;p' | \
      while read _COMMIT; do \
        hashes=$(curl -sS "https://raw.githubusercontent.com/monero-project/monero-site/$_COMMIT/downloads/hashes.txt"); \
        if echo "$hashes" | grep -qE "^($xmrArch,\s+[a-f0-9]{64}|[a-f0-9]{64}\s+\*?$xmrArch)$"; then \
          echo "$hashes" > hashes.txt && break; \
        fi; \
      done; \
  gpg --no-tty --batch --verify hashes.txt; \
  test "$(grep "$xmrArch" hashes.txt | grep -oE "[a-f0-9]{64}")" = "$(sha256sum -b $xmrArch | cut -d" " -f1)"; \
  tar --transform 's:.*/::g' -xaf *.tar.bz2 -C /usr/local/bin; \

This ugly workaround could be reduced significantly if signed hashes.txt will be available on downloads.getmonero.org for every binaries version.

@binaryFate
Copy link
Contributor

binaryFate commented May 17, 2021
edited
Loading

@KunNw0n what about we add a second file old-hashes.txt that contains a forever expending list of all hashes for all versions? (hashes.txt would keep having only last version).

My concern with your proposal of one hashes.txt per version is that newbies and users that are not too technical will be totally lost. It's already a challenge to have them check the hashes at all.

@KunNw0n
Copy link

KunNw0n commented May 17, 2021
edited
Loading

@binaryFate

what about we add a second file old-hashes.txt that contains a forever expending list of all hashes for all versions?

Totally fine as long as it has actual PGP signature (means it should be re-signed every time after update).
I'd better to back up previous hashes.txt to a hashes-v.X.Y.Z.txt during release of the new version. Then it will keep not only the hashes but the signature aswell.

My concern with your proposal of one hashes.txt per version is that newbies and users that are not too technical will be totally lost.

Having single version tagged file per release version (i.e. hashes-v.X.Y.Z.txt) is not harder to deal with while one chooses proper binary archive monero-linux-x64-vX.Y.Z.tar.bz2, IMHO.
Newbies and muggles are out of scope of this issue - they should always use the latest one release.

@binaryFate
Copy link
Contributor

Having single version tagged file per release version (i.e. hashes-v.X.Y.Z.txt)

I'm fine with this. (And indeed, as long as it does not change anything to the current simple enough workflow for most users and does not add any confusion to what they can read or do, it's ok).
Let's see if anyone has more comments.

@erciccione
Copy link
Contributor

Ok for me too.

@artyomsol
Copy link
Author

Having single version tagged file per release version (i.e. hashes-v.X.Y.Z.txt)

Indeed, it is the solution I was expecting to see.

@binaryFate
Copy link
Contributor

ping myself @binaryFate discussed on IRC again and todo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
downloads feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@artyomsol @binaryFate @KunNw0n @erciccione @el00ruobuob