GNU bug report logs - #62403
checksums --check (sha256sum, sha1sum) return file: OK when they shouldn't

Previous Next

Package: coreutils;

Reported by: Moviuro <moviuro.gnu <at> popho.be>

Date: Thu, 23 Mar 2023 09:37:01 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Moviuro <moviuro.gnu <at> popho.be>
Subject: bug#62403: closed (Re: bug#62403: checksums --check (sha256sum,
 sha1sum) return file: OK when they shouldn't)
Date: Thu, 23 Mar 2023 12:44:01 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#62403: checksums --check (sha256sum, sha1sum) return file: OK when they shouldn't

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 62403 <at> debbugs.gnu.org.

-- 
62403: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62403
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Pádraig Brady <P <at> draigBrady.com>
To: Moviuro <moviuro.gnu <at> popho.be>, 62403-done <at> debbugs.gnu.org
Subject: Re: bug#62403: checksums --check (sha256sum, sha1sum) return file: OK
 when they shouldn't
Date: Thu, 23 Mar 2023 12:43:04 +0000

[Message part 3 (text/plain, inline)]
On 23/03/2023 09:32, Moviuro via GNU coreutils Bug Reports wrote:
> Hello,
> 
> This report was first found on r/archlinux:
> 
> % echo "123" > 1
> % echo "1234" > 2
> % echo "abc" > 3
> % sha256sum 1 2 3 > sums.sha256
> % sha1sum 1 2 3 > sums.sha1
> % echo "123" > 2 # break file 2
> 
> % sha256sum -c sums.sha256 # returns 2: OK (incorrect)
> % sha1sum -c sums.sha1 # returns 2: OK
> 
> % tail -n 2 sums.sha256 | sha256sum -c # returns 2: FAILED (correct)
> % tail -n 2 sums.sha1 | sha1sum -c # returns 2: FAILED
> 
> See https://redd.it/11zdecf .
> 
> Someone pointed at this commit, though I'm unable to confirm that:
> https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b319685c6e12e66bf357c2384fe69f1c63f66aed
> 
> % sha256sum --version
> sha256sum (GNU coreutils) 9.2


The attached should fix this.
Sorry for the trouble.
Note the exit status is still OK, and so automated scripts would be unaffected,
but yes reporting the status incorrectly here to the user is a bad bug.

Marking this as done.

thanks,
Pádraig
[cksum-9.2-status.patch (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Moviuro <moviuro.gnu <at> popho.be>
To: bug-coreutils <at> gnu.org
Subject: checksums --check (sha256sum, sha1sum) return file: OK when they
 shouldn't
Date: Thu, 23 Mar 2023 10:32:53 +0100

Hello,

This report was first found on r/archlinux:

% echo "123" > 1
% echo "1234" > 2
% echo "abc" > 3
% sha256sum 1 2 3 > sums.sha256
% sha1sum 1 2 3 > sums.sha1
% echo "123" > 2 # break file 2

% sha256sum -c sums.sha256 # returns 2: OK (incorrect)
% sha1sum -c sums.sha1 # returns 2: OK

% tail -n 2 sums.sha256 | sha256sum -c # returns 2: FAILED (correct)
% tail -n 2 sums.sha1 | sha1sum -c # returns 2: FAILED

See https://redd.it/11zdecf .

Someone pointed at this commit, though I'm unable to confirm that:
https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b319685c6e12e66bf357c2384fe69f1c63f66aed

% sha256sum --version
sha256sum (GNU coreutils) 9.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller, and David Madore.

Best regards,
This bug report was last modified 2 years and 60 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.