Wrong SHA256 checksum for mbedtls-2.7.19.tar.gz shown on release page

[misch7]

Hey,

thanks for providing the latest releases.

The SHA256 checksum shown at the release page is incorrect:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.19

I've compared the mbedtls-2.7 branch with the provided mbedtls-2.7.19.tar.gz and their contents are identical with the resulting correct checksum for the .tar.gz:
3da12b1cebe1a25da8365d5349f67db514aefcaa75e26082d7cb2fa3ce9608aa

However, the listed checksum for the zip archive is correct.

Greetings,
Michael

[daverodgman]

We've double-checked the checksums for 2.7.19 - they are correct. I've also unpacked the tar.gz and the .zip - the contents are identical. Can you please provide more details about how you got this checksum?

[gilles-peskine-arm]

Under “Mbed TLS 2.7.19”, the release identified by the tag v2.7.19, there are two “Assets”: “Source code (zip)” and “Source code (tar.gz)”. The link for the zip is https://github.com/ARMmbed/mbedtls/archive/v2.7.19.zip, which redirects to https://codeload.github.com/ARMmbed/mbedtls/zip/v2.7.19, which serves a header saying that the file name when downloaded should be mbedtls-2.7.19.zip:

content-disposition: attachment; filename=mbedtls-2.7.19.zip

I double-checked this file on a non-work machine to be sure and it has the sha256sum from the release announcement: 0f83d43f7de8866820d41db398b6640c8baebb358819223f9b2b3502f77db3d7.

Separately, GitHub generates an archive for the tag mbedtls-2.7.19, which it lists on the release page with a discreet header “mbedtls-2.7.19”. This one has a zip link pointing to https://github.com/ARMmbed/mbedtls/archive/mbedtls-2.7.19.zip which redirects to https://codeload.github.com/ARMmbed/mbedtls/zip/mbedtls-2.7.19 which serves a header saying that the file name when downloaded should be mbedtls-mbedtls-2.7.19.zip. This file has different toplevel directory names from the official zip (mbedtls-mbedtls-2.7.19 rather than mbedtls-2.7.19), so it has a different checksum (07bb171df9079c8a2da11d5585512263a7bbdfa051bfc41c212058b80924c0e8).

Is this what you're seeing? It's the same for the tar.gz files.

These additional archives and confusing names are an unfortunate consequence of the way GitHub very strongly believes that release tags should be called v followed by a number, which is not the convention Mbed TLS (or most projects that I'm familiar with) follows. We've looked for a way to avoid these redundant archives, but in vain so far.

[misch7]

Thanks for checking back @daverodgman and for the details @gilles-peskine-arm. Yeah, I'm aware of the versioning (v) implications on GitHub, just didn't know they are insisting to stick with that so heavily.

Actually it's pretty weird; I did the same now and the checksum is correct. At the time of opening this issue of course I triple-checked the checksum because I didn't want to raise any false alarms.

What I did:

• Using this release page link: https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.19
• At the bottom, download the Source code (tar.gz) https://github.com/ARMmbed/mbedtls/archive/v2.7.19.tar.gz -> Location: https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v2.7.19
• Which this time downloads mbedtls-2.7.19.tar.gz with the correct checksum 9a6e0b0386496fae6863e41968eb308034a74008e775a533750af483a38378d0 as shown and as you stated.

When I did exactly the same three days ago, I got a file mbedtls-mbedtls-2.7.19.tar.gz with the 3da12b1ce... checksum I originally mentioned. Back then I downloaded the archive multiple times to check again. Strangely now everything is fine. Must be due to the deep mysteries of GitHub and/or my confusion.

This looks pretty much like it fits your description of the separate archive with the double mbedtls-mbedtls- despite the fact I used the identical page link now and back then: https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.19

However, sorry for the noise. I was just a bit concerned due to the security-critical nature of the library. Thanks again :)