Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-77383

".msi.sha256" files have incorrect shasum

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.1.0-rc0, 6.3.2, 6.0.7, 5.0.19, 4.4.23
    • Affects Version/s: 6.0.6, 4.4.22, 5.0.18
    • Component/s: None
    • None
    • Server Security
    • Fully Compatible
    • ALL
    • v7.0, v6.3, v6.0, v5.0, v4.4, v4.2
    • Hide

      Download any .msi and its .msi.sha256 from one of the affected versions. Compare the contents of the .sha256 file with the output of sha256sum (or Get-FileHash -Algorithm sha256 on Windows).

       

      $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi
      $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi.sha256
      $ cat mongodb-windows-x86_64-4.4.22-signed.msi.sha256
      b47270027451a262a3661ead2dc79861edca93efd096526c31c310c1b733851a mongodb-windows-x86_64-4.4.22.msi
      $ sha256sum mongodb-windows-x86_64-4.4.22-signed.msi
      95a021db597790008f2e7070fab4a7c3e0d30262f2305c615b95cb7b8afb4eed mongodb-windows-x86_64-4.4.22-signed.msi
      $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi
      $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi.sha256
      $ cat mongodb-windows-x86_64-5.0.18-signed.msi.sha256
      a42c5849ce363ea12cfa2dfa0ae825c302a905378afd8a8c9daf2abe34e93743 mongodb-windows-x86_64-5.0.18.msi
      $ sha256sum mongodb-windows-x86_64-5.0.18-signed.msi
      369e0cdc34c29290bfcc9d47569e1debad1b86010ea5e00aefd7c670717f434b mongodb-windows-x86_64-5.0.18-signed.msi
      $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi
      $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi.sha256
      $ cat mongodb-windows-x86_64-6.0.6-signed.msi.sha256
      1a593fd9a018127a8c34cfacc83fe048c984c7030ce807f300830376d5596f9d mongodb-windows-x86_64-6.0.6.msi
      $ sha256sum mongodb-windows-x86_64-6.0.6-signed.msi
      585afad69ec57040b1a8f502a039c3fef160dccbe6c48c53e15adde9976724a6 mongodb-windows-x86_64-6.0.6-signed.msi

       

      Show
      Download any .msi and its .msi.sha256 from one of the affected versions. Compare the contents of the .sha256 file with the output of sha256sum (or Get-FileHash -Algorithm sha256 on Windows).   $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi.sha256 $ cat mongodb-windows-x86_64-4.4.22-signed.msi.sha256 b47270027451a262a3661ead2dc79861edca93efd096526c31c310c1b733851a mongodb-windows-x86_64-4.4.22.msi $ sha256sum mongodb-windows-x86_64-4.4.22-signed.msi 95a021db597790008f2e7070fab4a7c3e0d30262f2305c615b95cb7b8afb4eed mongodb-windows-x86_64-4.4.22-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi.sha256 $ cat mongodb-windows-x86_64-5.0.18-signed.msi.sha256 a42c5849ce363ea12cfa2dfa0ae825c302a905378afd8a8c9daf2abe34e93743 mongodb-windows-x86_64-5.0.18.msi $ sha256sum mongodb-windows-x86_64-5.0.18-signed.msi 369e0cdc34c29290bfcc9d47569e1debad1b86010ea5e00aefd7c670717f434b mongodb-windows-x86_64-5.0.18-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi.sha256 $ cat mongodb-windows-x86_64-6.0.6-signed.msi.sha256 1a593fd9a018127a8c34cfacc83fe048c984c7030ce807f300830376d5596f9d mongodb-windows-x86_64-6.0.6.msi $ sha256sum mongodb-windows-x86_64-6.0.6-signed.msi 585afad69ec57040b1a8f502a039c3fef160dccbe6c48c53e15adde9976724a6 mongodb-windows-x86_64-6.0.6-signed.msi  
    • 4

      Following the docs to verify the Windows msi installer and the sha256 files are all incorrect. This now happens on all released versions (4.4.22, 5.0.18, 6.0.6); previous versions worked correctly (except for the RCs of these releases). Downloaded files all match the etag (md5sum) provided in http headers.

      All the msi urls are extracted from https://downloads.mongodb.org/current.json

      Thank you and hopefully this is filled in the right project.

            Assignee:
            tural.farhadov@mongodb.com Tural Farhadov
            Reporter:
            joseph.ferguson@docker.com Joseph Ferguson
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: