Bananian Linux

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000131Bananian Linux[All Projects] Securitypublic2015-04-30 16:502015-05-01 10:22
Reportercerebrux 
Assigned ToNico 
PriorityhighSeveritymajorReproducibilityalways
StatusresolvedResolutionno change required 
Product Version15.04 
Target VersionFixed in Version 
Summary0000131: SHA1 and SHA256 do not match the downloaded image
DescriptionThe downloaded latest image has a different sha1sum and sha256sum from the one that http://dl.bananian.org/releases/SHA1SUMS [^] and http://dl.bananian.org/releases/SHA256SUMS [^] gives. Thus this is an indication of either corrupt downloadable image or compromised images on the server.
I downloaded in 2 different ways (Firefox and wget) the image on 2 different machines (my laptop and my remote VPS) .
Steps To Reproduce1) wget http://dl.bananian.org/releases/bananian-latest.zip [^]
2) unzip bananian-latest.zip
3) sha1sum bananian-1504.img
4) sha256sum bananian-1504.img SHA1: 03abfde53239082f2ed66196100714bc4c73cee1
SHA256 25796bc7e7a68a99fc7206f6ec55bdb5e13cfcdd33baeaf6c6fadc6f0ac876fc
the above values do not match the ones that are reported on the source server
TagsNo tags attached.
Attached Filespng file icon Screenshot from 2015-04-30 17:48:28.png [^] (22,683 bytes) 2015-04-30 16:50

- Relationships

-  Notes
(0000240)
cerebrux (reporter)
2015-04-30 21:54
edited on: 2015-04-30 22:44

I think this report that I made is partially invalid because the website http://www.lemaker.org/resources/9-39/banana_pi_quick_start_guide.html [^] mentions :
"Verify if the hash key of the zip file is the same as shown on the downloads page (optional).
sha1sum [path]/[imagename]
This will print out a long hex number which should match the "SHA-1" line for the MicroSD image you have downloaded"


The last part was the reason that I was confused me. I checked the sha1 and sha256 of the image file (as mentioned in the last part) and not the zip file.
Now I rechecked the zip file instead and it is valid and matches the hashsum of the website.
So please make this bug report that I made invalid but make it more clear that the check should be on the zip file NOT the extracted image

(0000242)
Nico (manager)
2015-05-01 10:22
edited on: 2015-05-01 10:22

In the SHASUM files you can see the filename next to the hashes. So I think it should be clear enough.

http://dl.bananian.org/releases/SHA256SUMS [^]


- Issue History
Date Modified Username Field Change
2015-04-30 16:50 cerebrux New Issue
2015-04-30 16:50 cerebrux File Added: Screenshot from 2015-04-30 17:48:28.png
2015-04-30 21:54 cerebrux Note Added: 0000240
2015-04-30 22:44 cerebrux Note Edited: 0000240 View Revisions
2015-05-01 10:22 Nico Note Added: 0000242
2015-05-01 10:22 Nico Status new => resolved
2015-05-01 10:22 Nico Resolution open => no change required
2015-05-01 10:22 Nico Assigned To => Nico
2015-05-01 10:22 Nico Note Edited: 0000242 View Revisions


Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker