[SERVER-77383] ".msi.sha256" files have incorrect shasum Created: 22/May/23  Updated: 29/Oct/23  Resolved: 01/Jun/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 6.0.6, 4.4.22, 5.0.18
Fix Version/s: 7.1.0-rc0, 6.3.2, 6.0.7, 5.0.19, 4.4.23

Type: Bug Priority: Major - P3
Reporter: Joseph Ferguson Assignee: Tural Farhadov
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0, v6.3, v6.0, v5.0, v4.4, v4.2
Steps To Reproduce:

Download any .msi and its .msi.sha256 from one of the affected versions. Compare the contents of the .sha256 file with the output of sha256sum (or Get-FileHash -Algorithm sha256 on Windows).

 

$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi
$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi.sha256
$ cat mongodb-windows-x86_64-4.4.22-signed.msi.sha256
b47270027451a262a3661ead2dc79861edca93efd096526c31c310c1b733851a mongodb-windows-x86_64-4.4.22.msi
$ sha256sum mongodb-windows-x86_64-4.4.22-signed.msi
95a021db597790008f2e7070fab4a7c3e0d30262f2305c615b95cb7b8afb4eed mongodb-windows-x86_64-4.4.22-signed.msi
$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi
$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi.sha256
$ cat mongodb-windows-x86_64-5.0.18-signed.msi.sha256
a42c5849ce363ea12cfa2dfa0ae825c302a905378afd8a8c9daf2abe34e93743 mongodb-windows-x86_64-5.0.18.msi
$ sha256sum mongodb-windows-x86_64-5.0.18-signed.msi
369e0cdc34c29290bfcc9d47569e1debad1b86010ea5e00aefd7c670717f434b mongodb-windows-x86_64-5.0.18-signed.msi
$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi
$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi.sha256
$ cat mongodb-windows-x86_64-6.0.6-signed.msi.sha256
1a593fd9a018127a8c34cfacc83fe048c984c7030ce807f300830376d5596f9d mongodb-windows-x86_64-6.0.6.msi
$ sha256sum mongodb-windows-x86_64-6.0.6-signed.msi
585afad69ec57040b1a8f502a039c3fef160dccbe6c48c53e15adde9976724a6 mongodb-windows-x86_64-6.0.6-signed.msi

 

Participants:
Story Points: 4

 Description   

Following the docs to verify the Windows msi installer and the sha256 files are all incorrect. This now happens on all released versions (4.4.22, 5.0.18, 6.0.6); previous versions worked correctly (except for the RCs of these releases). Downloaded files all match the etag (md5sum) provided in http headers.

All the msi urls are extracted from https://downloads.mongodb.org/current.json

Thank you and hopefully this is filled in the right project.



 Comments   
Comment by Githook User [ 24/May/23 ]

Author:

{'name': 'Tural Farhadov', 'email': 'tural.ferhadov@gmail.com', 'username': 'turalf'}

Message: SERVER-77383: generate checksums after signing MSIs

(cherry picked from commit 97683bf244362678d65db79b418d7f6cb5032d66)
Branch: v5.0
https://github.com/mongodb/mongo/commit/aa725cf79bb1c184a1e5c0be1b0c593e146d80c5

Comment by Githook User [ 24/May/23 ]

Author:

{'name': 'Tural Farhadov', 'email': 'tural.ferhadov@gmail.com', 'username': 'turalf'}

Message: SERVER-77383: generate checksums after signing MSIs

(cherry picked from commit 97683bf244362678d65db79b418d7f6cb5032d66)
Branch: v4.4
https://github.com/mongodb/mongo/commit/fffec156278087b44b7817587d3cb62c382e9292

Comment by Githook User [ 24/May/23 ]

Author:

{'name': 'Tural Farhadov', 'email': 'tural.ferhadov@gmail.com', 'username': 'turalf'}

Message: SERVER-77383: generate checksums after signing MSIs

(cherry picked from commit 97683bf244362678d65db79b418d7f6cb5032d66)
Branch: v6.3
https://github.com/mongodb/mongo/commit/9397cb8e3b0ad40d2c7dc3d55cd085280058a895

Comment by Githook User [ 24/May/23 ]

Author:

{'name': 'Tural Farhadov', 'email': 'tural.ferhadov@gmail.com', 'username': 'turalf'}

Message: SERVER-77383: generate checksums after signing MSIs

(cherry picked from commit 97683bf244362678d65db79b418d7f6cb5032d66)
Branch: v6.0
https://github.com/mongodb/mongo/commit/6274578ebc405716574642d6ed18939bd866a712

Comment by Githook User [ 23/May/23 ]

Author:

{'name': 'Tural Farhadov', 'email': 'tural.ferhadov@gmail.com', 'username': 'turalf'}

Message: SERVER-77383: generate checksums after signing MSIs

(cherry picked from commit 97683bf244362678d65db79b418d7f6cb5032d66)
Branch: v7.0
https://github.com/mongodb/mongo/commit/3674bd72d44ac8b2685383f4bb676eab6057fcc3

Comment by Tural Farhadov [ 23/May/23 ]

We had a bug we missed in the checksum generation. It should all be fixed now. Thanks for reporting this!

Comment by Githook User [ 23/May/23 ]

Author:

{'name': 'Tural Farhadov', 'email': 'tural.ferhadov@gmail.com', 'username': 'turalf'}

Message: SERVER-77383: generate checksums after signing MSIs
Branch: master
https://github.com/mongodb/mongo/commit/97683bf244362678d65db79b418d7f6cb5032d66

Comment by Chris Kelly [ 23/May/23 ]

Thanks for the report joseph.ferguson@docker.com! I'm passing this along to the relevant team to take a look. 

Generated at Thu Feb 08 06:35:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.