Closed Bug 607978 Opened 14 years ago Closed 12 years ago

Include MD5 and SHA1 Checksums for Partial .mar Files

Categories

(Release Engineering :: General, enhancement, P2)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: david, Assigned: rail)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.15) Gecko/20101027 SeaMonkey/2.0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6

Please include MD5 and SHA1 hashes for partial .mar files in the respective MD5SUMS and SHA1SUMS files.

I maintain an archive of software updates for my PC and log each update as it is installed (a habit developed when I was in charge of configuration management for a large software project for the U.S. military).  For Thunderbird, this means I download the partial .mar file via FTP and then install the patch using a script I developed.


Reproducible: Always




Since the checksums are already provided for the complete .mar files, it should not be difficult to include the checksums for the partial .mar files.
By the way, checksums for partial .mar files are included in the MD5SUMS and SHA1SUMS files for SeaMonkey updates.
I suspect SeaMonkey is using a slightly different signing mechanism/method to everyone else, though I'm not sure.

In any case, although this was raised for Thunderbird, I'm moving this to mozilla.org / Release Engineering - the reason being is that I believe they aren't currently included in the checksum list due to the way automation works. A change to this would affect Firefox as well, and Thunderbird generally picks up the Firefox automation system.
Component: Build Config → Release Engineering
OS: Windows XP → All
Product: Thunderbird → mozilla.org
QA Contact: build-config → release
Hardware: x86 → All
Version: unspecified → other
Could this be taken care of by bug 607396?  The goal of that bug is to end up with a file containing checksums beside the mars and repacked installers.
I'm not sure about bug 607396.  It seems to address SHA512 hashcodes.  I don't have an application for checking SHA512 hashcodes.  

Yes, I understand there are concerns about MD5 and SHA1.  Those concerns revolve around the weakness of those hashcodes for verifying authenticity.  However, I use them for verifying integrity, that files have not become corrupted during downloads or other transmissions.  For that purpose, MD5 and SHA1 are still quite useful.
(In reply to comment #4)
> I'm not sure about bug 607396.  It seems to address SHA512 hashcodes.  I don't
> have an application for checking SHA512 hashcodes.  
> 
> Yes, I understand there are concerns about MD5 and SHA1.  Those concerns
> revolve around the weakness of those hashcodes for verifying authenticity. 
> However, I use them for verifying integrity, that files have not become
> corrupted during downloads or other transmissions.  For that purpose, MD5 and
> SHA1 are still quite useful.

David, do you have openssl installed?  If so, you can use the openssl binary as below to get the sha512 checksum on your consumer.

[jhford@mobile-image01 ~]$ openssl sha512 debian-506-i386-netinst.iso 
SHA512(debian-506-i386-netinst.iso)= d25dae20cbd0d132c5d9627902f2779c12b8ba297bf36013ee850fb7d9572f18b39fbc875cc4a294879c57e797e56509967170d13e20c1aff69f97b3a7a7266e

As well, you could use the script that generates the checksums in the first place if that is easier http://mxr.mozilla.org/mozilla-central/source/build/checksums.py

Does that satisfy your need?
I am using Windows XP SP3 on a PC.  The solutions in comment #5 appear to apply to Linux and possibly UNIX.
(In reply to comment #6)
> I am using Windows XP SP3 on a PC.  The solutions in comment #5 appear to apply
> to Linux and possibly UNIX.

David, openssl is available for lots of platforms, including windows.  As well, the script that I referenced, checksums.py, is what we run every build for all of our platforms (including windows) to generate the SHA512 checksums.  This script has a very simple  interface.  It requires python with a working hashlib module.

To generate the sha512 checksums of an arbitrary file, you could run:

wget http://hg.mozilla.org/mozilla-central/raw-file/tip/build/checksums.py
(you could also use firefox to download this file)
python checksums.py -o output_file -d sha512 firefox-4.0b8pre.en-GB.linux-x86_64.tar.bz2

This will result in a file with contents like:
c6afe<snip>e1daf sha512 14918099 firefox-4.0b8pre.en-GB.linux-x86_64.tar.bz2

If you want OpenSSL on windows, there are a number of ways to obtain it, google has lots of suggestions including at least GnuWin32, cygwin and native versions.  

The openssl main site does provide links for a native compiled version of openss, http://www.openssl.org/related/binaries.html.

I closing this as a dupe of 578393 because it details how we added information to solve this problem.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
bug 578393 isn't going to get us checksums for partial MARs for releases. Those MARs are generated later in the process. When we get around to bug 607389 we should have partial MAR checksums without additional work.
Per comment #8, this is not a duplicate of bug #578393.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Likely to be solved by bug 607389 per my earlier comment, marking it as such.
Blocks: 607389
Priority: -- → P4
Assignee: nobody → rail
Priority: P4 → P2
This is fixed by bug 708656 and available in 11.0b1
Status: REOPENED → RESOLVED
Closed: 14 years ago12 years ago
Resolution: --- → FIXED
I finally see the effects of this implementation.  

To everyone who contributed:  THANK YOU.
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.