Integrity doesn't match to checksum: not decompressing the xz stream? #128
Assignees
Labels
Comments
|
It must be your Please share the full console output of |
|
Well, actually all of the payloads were indeed correct and fully complete. The issue, as I mentioned above, is that the stream is not decompressed before calculating the checksum. On my end, I modified the source code so that if the initial checksum fails, it tries to decompress the payload with xz, bz2, and gz before giving up. I found that almost all the payloads passed the checksum when first decompressed with xz, and the other four passed when decompressed with bz2. For the time being, I'll be using my own modified version--sometime I will push my fork to show you what I did. I'll try to get you the console output when I have time, but just be aware of the above. I don't know too much about Debian packaging, but something tells me I can't be the only one with this problem. I wonder if I'm missing a dependency or something... |
I doubt they were correct. But that's something you'll have to verify.
It could well be the case. Since you mentioned now that you don't know much about Debian, how did you install the Anyways... I took your signature file and ran it locally. And it worked all proper here. The file size looks fine below. And the installation went fine. |
|
I didn't really install the package to the system but rather just ran the source directly from the git repository. The reason I did this was similar to the bootstrap issue (#88). I did not have a way to install apt-offline through apt, since my computer has no networking interfaces. I attached the results of the get operation. |
Okay!!! SO it is downloading with archive type What version of |
I don't think the issue has anything to do with In your case, as is reported by |
|
I am running Python 3.6.9 on the host computer and 3.7.3 on the offline computer. I know you think that the downloads are somehow corrupted, but that is not the case. For example, the checksum e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 that you quoted above for the file However, the file at If you do not believe what I said above about the 32-byte files, you can do a little experiment. I included the binary blob of these 32-byte files below. You can see the XZ header in the bytes as well. Result: As you can see, the data decompresses without error to a bytes object of length 0, and after decompressing it, the SHA-256 hash matches. I've attached the full update signature file and the corresponding files that were downloaded. Perhaps this will help you understand what is happening. Thanks so much for trying to understand this issue! I really appreciate apt-offline and just want to see it get better! |
|
Hey!! Sorry. I haven't been on top of this issue. To really understand your issue, I need to re-produce it, which I haven't been able to. And time isn't in abundance. It turns out you fairly understand the problem now. So just propose a patch and probably that'll give me a better understanding of the problem at hand. PS: It is not about I don't believe you. :-) It is just that my time is very limited lately, for good reasons, as the major chunk now gets devoted to family life. And thus, I haven't been able to pay enough attention to this issue, as much as it needs. |
|
A simpler way to see the problem is to look here: http://security.debian.org/dists/buster/updates/InRelease I'll take this chunk of the SHA-256 hashes as an example: It seems like apt-offline is trying to match the file contents of You can verify the hashes with my previous comment here -- they are the same! (Edited to use one of the files mentioned earlier in the issue) |
Thank you for the pointer. That could possibly be a bug somewhere there. I will try to investigate it. |
|
Note to self so that I don't forget: Probably what needs a closer look is |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I'm a first-time user of apt-offline, and I'm having problems running apt-offline install (for just an apt update) on a Debian 10 system. I was able to do an
apt-offline getjust fine on an online system, but it doesn't appear to install properly on the offline system.If I run
apt-offline install ./apt-offline-download, I get the following output:At first glance, that seemed to work. However, I noticed that
aptwas unaware of any of those packages. After running the same command with the--verboseflag, I got some errors saying that the integrity doesn't match to the SHA-256 checksum:Taking a closer look at the file hashes, see that a common one in the output above is
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. That is the empty hash. I don't have any empty files in theapt-offline-downloadfolder, though, and the temporary folder it is working in seems to have the same files as those in myapt-offline-downloadfolder.The first file (with that hash above), which in this case is
/tmp/tmpxz6u9k71/deb.debian.org_debian_dists_buster-updates_contrib_binary-all_Packages, is 32 bytes in size. It turns out that all of these files are compressed with an xz stream, and I'm guessing the issue is that apt-offline is not decompressing them. Decompressing the stream by runningxz -d [filename]shows that it decompresses to the empty file, which has the current hash and probably would have been accepted by apt-offline.So I think this is where the error with not actually syncing comes from.
Here is the signature in question:
Let me know if you need any more information. Thanks!
The text was updated successfully, but these errors were encountered: