|Anonymous | Login|
Bananian Linux is no longer under active development. Read more...2020-06-05 18:13 CEST
|My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000131||Bananian Linux||[All Projects] Security||public||2015-04-30 16:50||2015-05-01 10:22|
|Status||resolved||Resolution||no change required|
|Target Version||Fixed in Version|
|Summary||0000131: SHA1 and SHA256 do not match the downloaded image|
|Description||The downloaded latest image has a different sha1sum and sha256sum from the one that http://dl.bananian.org/releases/SHA1SUMS [^] and http://dl.bananian.org/releases/SHA256SUMS [^] gives. Thus this is an indication of either corrupt downloadable image or compromised images on the server.|
I downloaded in 2 different ways (Firefox and wget) the image on 2 different machines (my laptop and my remote VPS) .
|Steps To Reproduce||1) wget http://dl.bananian.org/releases/bananian-latest.zip [^]|
2) unzip bananian-latest.zip
3) sha1sum bananian-1504.img
4) sha256sum bananian-1504.img SHA1: 03abfde53239082f2ed66196100714bc4c73cee1
the above values do not match the ones that are reported on the source server
|Tags||No tags attached.|
|Attached Files|| Screenshot from 2015-04-30 17:48:28.png [^] (22,683 bytes) 2015-04-30 16:50
edited on: 2015-04-30 22:44
I think this report that I made is partially invalid because the website http://www.lemaker.org/resources/9-39/banana_pi_quick_start_guide.html [^] mentions :
"Verify if the hash key of the zip file is the same as shown on the downloads page (optional).
This will print out a long hex number which should match the "SHA-1" line for the MicroSD image you have downloaded"
The last part was the reason that I was confused me. I checked the sha1 and sha256 of the image file (as mentioned in the last part) and not the zip file.
Now I rechecked the zip file instead and it is valid and matches the hashsum of the website.
So please make this bug report that I made invalid but make it more clear that the check should be on the zip file NOT the extracted image
edited on: 2015-05-01 10:22
In the SHASUM files you can see the filename next to the hashes. So I think it should be clear enough.
|2015-04-30 16:50||cerebrux||New Issue|
|2015-04-30 16:50||cerebrux||File Added: Screenshot from 2015-04-30 17:48:28.png|
|2015-04-30 21:54||cerebrux||Note Added: 0000240|
|2015-04-30 22:44||cerebrux||Note Edited: 0000240||View Revisions|
|2015-05-01 10:22||Nico||Note Added: 0000242|
|2015-05-01 10:22||Nico||Status||new => resolved|
|2015-05-01 10:22||Nico||Resolution||open => no change required|
|2015-05-01 10:22||Nico||Assigned To||=> Nico|
|2015-05-01 10:22||Nico||Note Edited: 0000242||View Revisions|
|Copyright © 2000 - 2020 MantisBT Team|