451486 – md5sums of krita-5.0.2.dmg in https://download.kde.org/stable/krita/5.0.2/md5sum.txt is wrong

Bug 451486 - md5sums of krita-5.0.2.dmg in https://download.kde.org/stable/krita/5.0.2/md5sum.txt is wrong

Summary: md5sums of krita-5.0.2.dmg in https://download.kde.org/stable/krita/5.0.2/md5...

Status:	RESOLVED FIXED

Alias:	None

Product:	www.kde.org
Classification:	Websites
Component:	general (show other bugs)
Version:	unspecified
Platform:	Other Other

Importance:	NOR normal
Target Milestone:	---
Assignee:	kde-www mailing-list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-14 09:44 UTC by Tian
Modified:	2022-05-15 10:59 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Tian 2022-03-14 09:44:06 UTC

SUMMARY
md5sum of krita-5.0.2.dmg in https://download.kde.org/stable/krita/5.0.2/md5sum.txt is different with https://download.kde.org/stable/krita/5.0.2/krita-5.0.2.dmg.md5.

STEPS TO REPRODUCE
1. Visit the webpages in the summary
2. Compare the two md5sums of the dmg file in two pages

OBSERVED RESULT
Two md5sums of dmg file is different.
The value in https://download.kde.org/stable/krita/5.0.2/md5sum.txt is wrong.

EXPECTED RESULT
The value in https://download.kde.org/stable/krita/5.0.2/md5sum.txt should be the same with the one in https://download.kde.org/stable/krita/5.0.2/krita-5.0.2.dmg.md5 .

Comment 1 Ben Cooksley 2022-03-14 10:53:05 UTC

Please note that MD5 is a very weak hash - i'd recommend the use of SHA-256 instead.

Comment 2 Tian 2022-03-14 15:32:03 UTC

(In reply to Ben Cooksley from comment #1)
> Please note that MD5 is a very weak hash - i'd recommend the use of SHA-256
> instead.

Thanks, I tried to find the sha256sum file first, but didn't succeed. In fact the sums are in the  "details" link beside each file.
Since MD5 is provided on the page, then it should be right.

Comment 3 Brendan 2022-04-22 02:16:22 UTC

I have just downloaded the Krita 5.0.5 appimage 4 times. Each of the binaries differs. None match the md5sum in the md5sum file.
Is it possible that the server is adding some header information?

Comment 4 Ben Cooksley 2022-04-22 08:48:27 UTC

I've downloaded the Appimage now and it worked fine, with the sha256 hash validating perfectly.

I would recommend checking the software you are using, especially if it is trying to download the file in a multi-threaded fashion.

Comment 5 Brendan 2022-04-23 05:37:18 UTC

Looks like something wrong at my end? Tried today, downloaded fine. 
That said, I don't see sha256sum hashes published anywhere.

Comment 6 Ben Cooksley 2022-04-23 08:51:20 UTC

If you take the URLs for download.kde.org you can add '.mirrorlist' to receive a nice page with various information - including MD5, SHA-1 and SHA-256 hashes of the files. 

Alternatively you can add '.sha256' and you will be served a machine interpretable SHA-256 hash (same applies for '.md5' and '.sha1' for those equivalents).

Eg:
https://download.kde.org/stable/krita/5.0.5/krita-5.0.5-x86_64.appimage
https://download.kde.org/stable/krita/5.0.5/krita-5.0.5-x86_64.appimage.mirrorlist
https://download.kde.org/stable/krita/5.0.5/krita-5.0.5-x86_64.appimage.sha256

These hashes are always served directly by download.kde.org and you will not find those files on the mirrors.

Comment 7 Tian 2022-05-13 02:07:54 UTC

(In reply to Ben Cooksley from comment #4)
> I've downloaded the Appimage now and it worked fine, with the sha256 hash
> validating perfectly.

The sha256 hash has no problem.
 
> I would recommend checking the software you are using, especially if it is
> trying to download the file in a multi-threaded fashion.
I just download it through the browser(Chrome).

Comment 8 Tian 2022-05-13 02:22:32 UTC

(In reply to Ben Cooksley from comment #6)
> If you take the URLs for download.kde.org you can add '.mirrorlist' to
> receive a nice page with various information - including MD5, SHA-1 and
> SHA-256 hashes of the files. 
> These hashes are always served directly by download.kde.org and you will not
> find those files on the mirrors.
Yes, one can find detailed and nice information by click the 'Details' link on the right side of the page[1]. This page lists the link you mentioned.
At the bottom of the page, you will see a standalone md5sum.txt link. The hash in this page is not the same as the one in 'Details' link.
All these information are from download.kde.org, not a mirror site.

I can use sha-256 to check the file.
But the purpose of this bug report is to find out what causes the difference and how to fix it in the future, though I am not a contributor of KDE.

[1] https://download.kde.org/stable/krita/5.0.2/

Comment 9 Halla Rempt 2022-05-13 08:44:27 UTC

From 5.0.6 onwards, I'd stopped providing the md5sum.txt file. It's too much of a hassle and it doesn't provide anything useful anyway.

Comment 10 Ben Cooksley 2022-05-13 19:37:47 UTC

Given the content of the md5sum.txt file was both inaccurate and was served from mirrors rather than directly by us i've now removed the 5.0.2 and 5.0.5 versions of those files.

Please use the mirrorlist/md5/sha1/sha256 special links as noted below for retrieving a sum that can be used to validate your download.

Comment 11 Brendan 2022-05-15 03:40:04 UTC

Thanks for that. 

So, these checksums (being autogenerated by server) verify whether the version on the server is the same as the version downloaded.  Chain of trust from developer to user is assured by GPG signature from Krita.org?  

Where is the public key?

Comment 12 Ben Cooksley 2022-05-15 10:59:09 UTC

Correct, the ultimate chain of trust is verified by the GPG signature. You should be able to retrieve the public key from the appropriate public keyserver.

The hash sums verify the integrity of the download is the same as the file on the master server.