XMR $499.88
FIRO $1.75

Please login

Region:

Current view: Classic | Threads
Sort by: New | Tips

How to verify downloaded source code? Filname monero-source-v0.18.4.4.tar.bz2 in hashes.txt file does not match the file on github release page (.gz instead of .bz2)

FruitlessOrangutan
5 (1)
Posts: 4
Earned: 0 XMR
Tipped: 0 XMR
Nov 28 19:26
(0)
(0)
#653
I want to build monerod from source, and would like to start with verifying the hash of the downloaded source code file.

Looking here https://github.com/monero-project/monero/releases where it says "A GPG-signed list of the hashes is at https://getmonero.org/downloads/hashes.txt and should be treated as canonical".

The file at https://getmonero.org/downloads/hashes.txt has the following line for the source tarball:

84570eee26238d8f686605b5e31d59569488a3406f32e7045852de91f35508a2 monero-source-v0.18.4.4.tar.bz2

But the source code file available on github is "monero-0.18.4.4.tar.gz" (.gz rather than .bz2)

So I'm confused.

The github release page does not contain the "monero-source-v0.18.4.4.tar.bz2" file, but instead another file for which there is no hash that can be verified?
Tip FruitlessOrangutan

FruitlessOrangutan has not setup a tip address yet.

Publish Tip to FruitlessOrangutan

FruitlessOrangutan has not setup a tip address yet.

xmrRedux Donor - Supporter Verified
5 (16)
Posts: 1
Earned: 0 XMR
Tipped: 0 XMR
Dec 3 02:52
(1)
(0)
#669
Find the link for "Source Code (archive)" (https://downloads.getmonero.org/cli/source) under the CLI downloads section.

This currently redirects to https://downloads.getmonero.org/cli/monero-source-v0.18.4.4.tar.bz2

Then check the file against the hashes found in https://getmonero.org/downloads/hashes.txt

> sha256sum --ignore-missing --check hashes.txt ./monero-source-v0.18.4.4.tar.bz2

monero-source-v0.18.4.4.tar.bz2: OK
Tip xmrRedux

xmrRedux has not setup a tip address yet.

Publish Tip to xmrRedux

xmrRedux has not setup a tip address yet.

FruitlessOrangutan
5 (1)
Posts: 4
Earned: 0 XMR
Tipped: 0 XMR
Dec 25 10:57
(0)
(0)
#734
Reply to post #669
Thanks!

So you're saying basically just use what's on getmonero.org and ignore github. That's good, I can do that.

But then I wonder, what's the point of having a github release page, if the artifacts there cannot be verified? It would be fine if the files published on the github releases page were identical to the files on getmonero.org - then that would have a value in that it adds redundancy (when getmonero.org is down you could get the files from github instead). But as it is now, what's the point? It seems bad because Github (Microsoft) can publish a compromised version of the code there and fool people into installing it.
Tip FruitlessOrangutan

FruitlessOrangutan has not setup a tip address yet.

Publish Tip to FruitlessOrangutan

FruitlessOrangutan has not setup a tip address yet.

Page:
1
You must login in order to publish a post