ain icon indicating copy to clipboard operation
ain copied to clipboard

Published 20 hours ago verified publisher icon DeFiCh

Path inside SHA256 checksum file changed

Open GuybrushX opened this issue 1 year ago • 1 comments

Summary

  • Looks like the build process changed somehow because the path inside the SHA256 checksum file changed.

Steps to Reproduce

[Please use step-by bullet points to help the team reproduce the bug]

  • Use this helpful tool to upgrade your a node to 4.0.5: https://github.com/sandrich/definode_upgrade/

The upgrade will fail because the SHA256 file changed the path.

# 4.0.3:
124c0d5bb78193c05f7872bcd7a9fbf18d54cddf80b9bc1fffd1def582ef064e  ./defichain-4.0.0-x86_64-pc-linux-gnu.tar.gz

# 4.0.5:
c653c7591f26906fed1f766e7f3209657430de8466b26014b4c6cae42bfe5559  /__w/ain/ain/build/defichain-4.0.5-x86_64-pc-linux-gnu.tar.gz

-> Scary fact: it looks like nobody is checking the checksum of what they are downloading... This can easily become a really big issue in case compromised binaries are distributed for whatever reason.

Environment

[Please fill all of the following or NA if not applicable]

  • Node Version: defichain-4.0.5-x86_64-pc-linux-gnu.tar.gz[.SHA256]
  • Block height on bug if applicable: NA
  • TX or TX type on bug if applicable: NA
  • OS with version: NA
  • Any other relevant environment info: NA

GuybrushX avatar Dec 09 '23 13:12 GuybrushX