MD5 or SHA256 Hash/Checksum not matching sonar-scanner-cli ZIP file downloads

smhodgeNG · October 21, 2021, 2:39pm

From this site: Index of /Distribution/sonar-scanner-cli
Downloaded: sonar-scanner-cli-4.6.2.2472-linux.zip
Also downloaded: sonar-scanner-cli-4.6.2.2472-linux.zip.md5
Also downloaded: sonar-scanner-cli-4.6.2.2472-linux.zip.sha256

Neither checksum matches the linux.zip download. Tried the same steps with the Windows zip file, just as a test, and those do not match either.

Used both the Win10 ‘Powershell’ method and the Win10 ‘certutil’ method to generate checksums on the downloaded sonar-scanner-cli ZIP files… which we use on all downloads. This is a rare time when the values do not match.

Suggestions?

Malena_Ebert · October 25, 2021, 2:19pm

Hi Scott,

Welcome to the community.
I checked the checksums and signatures. All of them are valid:

❯ echo -en "$(cat sonar-scanner-cli-4.6.2.2472-linux.zip.md5) sonar-scanner-cli-4.6.2.2472-linux.zip" | md5sum -c - 
sonar-scanner-cli-4.6.2.2472-linux.zip: OK

❯ echo -en "$(cat sonar-scanner-cli-4.6.2.2472-linux.zip.sha1) sonar-scanner-cli-4.6.2.2472-linux.zip" | sha1sum -c -
sonar-scanner-cli-4.6.2.2472-linux.zip: OK

❯ echo -en "$(cat sonar-scanner-cli-4.6.2.2472-linux.zip.sha256) sonar-scanner-cli-4.6.2.2472-linux.zip" | sha256sum -c -
sonar-scanner-cli-4.6.2.2472-linux.zip: OK

❯ gpg --verify sonar-scanner-cli-4.6.2.2472-linux.zip.asc
gpg: assuming signed data in 'sonar-scanner-cli-4.6.2.2472-linux.zip'
gpg: Signature made Fr 07 Mai 2021 14:17:10 CEST
gpg:                using RSA key 2B1042677FD8190C7B9FC0DC2161D72E7DCD4258
gpg: Good signature from "SonarSource S.A. <infra@sonarsource.com>" [ultimate]

If these is not the case on your side, you need to assume that the files get manipulated during downloading them.

smhodgeNG · October 25, 2021, 2:42pm

Hello,

Thank you for the feedback.

This is quite odd. I (we) download 10-12 items per week, same process, same web-browsers, same everything… and in 13 years never had a mis-match with any product. Here, nothing matches, yet your process for testing shows all is OK.

I have tired 3 difference web-browsers, on different days, from different workstations… all my results are the same, and all are mismatches.

smhodgeNG · October 26, 2021, 5:31pm

UPDATE – FYI.

Extensive tests resulted in finding the issue.

Note that we are air-gapped, and we are downloading the ‘scanner-cli’ (for Linux) ZIP file to Internet-connected Win10 systems… verifying the checksum there… before then burning the SQ product to media to get them to the production (Linux) networks.

The reason for the mismatch on the checksum values (regardless of which checksum value was used) was:

The web-browser used to download the “sonar-scanner-cli” ZIP file… MATTERED!

Chrome: good download (Download size: 42,090 KB)
FireFox: bad download (Download size: 42,110 KB)
Edge: bad download (Download size: 42,110 KB)

There was a small size difference for all ZIP file downloads done with FFox or Edge as compared to the download via Chrome.

Oddly, the ZIP file itself was the only item that had a different sized download based on the browser used. The checksum files themselves (albeit simple text files) are all the same regardless of the browser used.

Edge and FFox produced identical results in their download of the ZIP file (and identical checksum values). But Chrome’s download differed and matched the staged MD5 and SHA256 checksum files.

Malena_Ebert · October 29, 2021, 7:40am

Hi @smhodgeNG

I am happy to hear, that you solved the issue.
On a linux machine I cannot confirm the issue in any of the listed browsers. It seems to be a specific issue within your setup.

system · November 5, 2021, 7:41am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.