[Bug 1890006] Re: Hash mismatch on "apt update"

Julian Andres Klode 1890006 at bugs.launchpad.net
Sun Aug 2 13:33:30 UTC 2020 

Don't see any reason for any apport collecting here.

This needs a clean reproducer or someone with the issue to do the work
to analyse what's wrong.

Looking at the bug report, the output from the reproducer matches that
of the commandline tools?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1890006

Title:
  Hash mismatch on "apt update"

Status in apt package in Ubuntu:
  New

Bug description:
  This is a really weird bug that is happening on Ubuntu 20.04 LTS (Live
  ISO!!!) and Kali 2020.2, but not Debian 10 (so, it affects at least
  apt 2.0.2ubuntu0.1 and does not affect 1.8.2.1). It also only occurs
  on a single PC (as far as I know). All testing was done in Virtualbox
  and moving VM's to another PC fixed issue (without changing anything
  inside the VM).

  On running "apt update", there is an error "Hash Sum mismatch" which
  shows that SHA1 and SHA256 hashes differ from expected (while MD5 and
  file size is correct). E.g.:

    Hash Sum mismatch
    Hashes of expected file:
     - Filesize:314536 [weak]
     - SHA256:aa1c6c96b09a0c695dc475d99b407c675e564fbfe51b3e26230c6320b45666d0
     - SHA1:4f438d7e0c78dfb0486f86dc0a3dba30575eb617 [weak]
     - MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
    Hashes of received file:
     - SHA256:f47a968e7a10aff91df8b1d3f682ce11d161ff1b17056268b9ae1c10447523b2
     - SHA1:2839e062232ed234d0c04e60fe6b2a687c950e5b [weak]
     - MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
     - Filesize:314536 [weak]

  I ran packet capture and extracted archives which are getting
  verified. All of their hashes are correct (exactly as expected).

  It seems that calculating SHA1 and SHA256 the way APT does it produces
  wrong result, while running command line tools sha1sum and sha256sum
  (on the same PC inside the same VM) produces correct result.

  I wrote the minimal reproducible example (hashtest.cc) that produces
  output such as this:

  Calculating hashes same way apt does.

   - MD5Sum:c89b13b76197d0d554400e00e46c0740
   - SHA1:f6901a4486e69a1f503401daa02b520f1b0e22ba
   - SHA256:9075301b3961aca23b69bf2868a18dca184b383a0ec1de35516f0a8a182c2cb6
   - SHA512:7506f6f5c5d5e97f8c6ecac2489e7d6260002bd530370c6193a04620f94285dca0f5cf2bb9ead40afbd72fdf3a239349a57f81165b5b857af6ad7ddeab8da036
   - Checksum-FileSize:892549

  Calculating hashes through command line tools.

   - md5sum: c89b13b76197d0d554400e00e46c0740
   - sha1sum: f6901a4486e69a1f503401daa02b520f1b0e22ba
   - sha256sum: 9075301b3961aca23b69bf2868a18dca184b383a0ec1de35516f0a8a182c2cb6
   - sha512sum: 7506f6f5c5d5e97f8c6ecac2489e7d6260002bd530370c6193a04620f94285dca0f5cf2bb9ead40afbd72fdf3a239349a57f81165b5b857af6ad7ddeab8da036

  It's in the attachment alongside with an example file that causes this
  hash mismatch. There's also debug.log which contains various versions,
  etc (although as I said, it has been verified on latest Ubuntu Live
  ISO).

  I have a suspicion that the bug is in the gcrypt library, not apt
  itself, but I haven't yet verified it. The libgcrypt20 version in
  Ubuntu is 1.8.5-5ubuntu1 (in Kali as well), while Debian 10 (which
  isn't affected) uses 1.8.4-5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1890006/+subscriptions

More information about the foundations-bugs mailing list