Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.8.0 tarball sha256 change? #315

Closed
roopakv opened this issue Feb 22, 2021 · 17 comments
Closed

v0.8.0 tarball sha256 change? #315

roopakv opened this issue Feb 22, 2021 · 17 comments

Comments

@roopakv
Copy link

roopakv commented Feb 22, 2021
edited

I'm attempting to update Homebrew's version of Go (Homebrew/homebrew-core#71289).

While testing the new version, CI produced the following error:

==> FAILED
==> Downloading https://github.com/google/ko/archive/v0.8.0.tar.gz
==> Downloading from https://codeload.github.com/google/ko/tar.gz/v0.8.0
Error: SHA256 mismatch
Expected: 8ecb73697915b19ae5f3a647d877656ccaaa9f46f6c5f22e81cb8763cc0a8a18
  Actual: a1b90267574102d3fb43cab7587bbe54f221e5b79ca731781a89c7d0c1f5b2ef
    File: /Users/brew/Library/Caches/Homebrew/downloads/c4c486f4e0ec600d534026b410741c7c8c34fd303b2ff15714940e8e7eeeca56--ko-0.8.0.tar.gz

I can update the sha256 associated with ko, but CI will come back to me with the following error:

ko:

  • stable sha256 changed without the url/version also changing; please create an issue upstream to rule out malicious circumstances and to find out why the file changed.

Could someone help understand why the tarball sha might have changed?
@roopakv roopakv mentioned this issue Feb 22, 2021
Merged
@jonjohnsonjr
Copy link
Collaborator

That's very strange to me, and I'm not sure what would cause that. I don't think anyone has modified the releases or pushed over this tag. It seems to be the same

The only thing I can imagine is that updating the goreleaser to support mips (#309) might have modified the release, but not the source tarball, which seems to be the problem.

Is there anything I can do to help? E.g. tagging a v0.8.1 release?

@roopakv
Copy link
Author

roopakv commented Feb 22, 2021

@jonjohnsonjr any chance any maintainer deleted the release and re-rereleased to fix a bug? or worse any chance a maintainer had their github creds stolen?

While we can release a v0.8.1 I'd be curious what happened and why it changed. It looks like #309 happened after the previous release was cut so that should not have caused the issue.

@roopakv
Copy link
Author

roopakv commented Feb 22, 2021

@jonjohnsonjr one of the maintainers @chenrui333 had a pretty plausible guess. Do you remember when the branch default was switched from master to main?

@jonjohnsonjr
Copy link
Collaborator

Dug into this a little bit comparing it to my local copy, found this distinction:

$ diff <(cd ko && git ls-files -s .) <(cd ko-0.8.0 && git ls-files -s .)
2547c2547
< 100644 9b4c79f89519c2b880f924cabc041278c3869625 0     vendor/k8s.io/client-go/pkg/version/base.go
---
> 100644 5a4151d2cc4d55044c9df84e043c24f883584392 0     vendor/k8s.io/client-go/pkg/version/base.go

Looking at this file:

$ diff ko/vendor/k8s.io/client-go/pkg/version/base.go ko-0.8.0/vendor/k8s.io/client-go/pkg/version/base.go 
58,59c58,59
<       gitVersion   string = "v0.0.0-master+$Format:%h$"
<       gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)
---
>       gitVersion   string = "v0.0.0-master+82cabb40"
>       gitCommit    string = "82cabb40bae577ce3bc016e5939fd85889538e8b" // sha1 from git, output of $(git rev-parse HEAD)

This is the only difference I can tell between what's at that commit on my local filesystem and what's been downloaded from the GitHub release.

Looking at what's in the release:

$ tar -Oxf ko-0.8.0.tar.gz ko-0.8.0/vendor/k8s.io/client-go/pkg/version/base.go
/*
Copyright 2014 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package version

// Base version information.
//
// This is the fallback data used when version information from git is not
// provided via go ldflags. It provides an approximation of the Kubernetes
// version for ad-hoc builds (e.g. `go build`) that cannot get the version
// information from git.
//
// If you are looking at these fields in the git tree, they look
// strange. They are modified on the fly by the build process. The
// in-tree values are dummy values used for "git archive", which also
// works for GitHub tar downloads.
//
// When releasing a new Kubernetes version, this file is updated by
// build/mark_new_version.sh to reflect the new version, and then a
// git annotated tag (using format vX.Y where X == Major version and Y
// == Minor version) is created to point to the commit that updates
// pkg/version/base.go
var (
        // TODO: Deprecate gitMajor and gitMinor, use only gitVersion
        // instead. First step in deprecation, keep the fields but make
        // them irrelevant. (Next we'll take it out, which may muck with
        // scripts consuming the kubectl version output - but most of
        // these should be looking at gitVersion already anyways.)
        gitMajor string = "" // major version, always numeric
        gitMinor string = "" // minor version, numeric possibly followed by "+"

        // semantic version, derived by build scripts (see
        // https://git.k8s.io/community/contributors/design-proposals/release/versioning.md
        // for a detailed discussion of this field)
        //
        // TODO: This field is still called "gitVersion" for legacy
        // reasons. For prerelease versions, the build metadata on the
        // semantic version is a git hash, but the version itself is no
        // longer the direct output of "git describe", but a slight
        // translation to be semver compliant.

        // NOTE: The $Format strings are replaced during 'git archive' thanks to the
        // companion .gitattributes file containing 'export-subst' in this same
        // directory.  See also https://git-scm.com/docs/gitattributes
        gitVersion   string = "v0.0.0-master+82cabb40"
        gitCommit    string = "82cabb40bae577ce3bc016e5939fd85889538e8b" // sha1 from git, output of $(git rev-parse HEAD)
        gitTreeState string = ""            // state of git tree, either "clean" or "dirty"

        buildDate string = "1970-01-01T00:00:00Z" // build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ')
)

@jonjohnsonjr
Copy link
Collaborator

Do you remember when the branch default was switched from master to main?

Wed, Feb 3, around noon PST. @imjasonh

@jonjohnsonjr
Copy link
Collaborator

any chance any maintainer deleted the release and re-rereleased to fix a bug?

Not to my knowledge. I'm usually the one to cut these releases, and we generally just bump a minor version.

or worse any chance a maintainer had their github creds stolen?

Of course possible, but unlikely given that we all use 2FA.

@roopakv
Copy link
Author

roopakv commented Feb 22, 2021

@jonjohnsonjr when you say your local copy, did you mean your copy of the source code of the original v0.8.0 or your copy of the code at the HEAD of the repo as is now?

@jonjohnsonjr
Copy link
Collaborator

I did git checkout v0.8.0 on the machine I used to create the tag, then tarred up the filesystem.

$ git show v0.8.0 | head -n 1
commit 82cabb40bae577ce3bc016e5939fd85889538e8b

I compared that to the downloaded release from GitHub, as described in #315 (comment)

That commit is present in a branch that is covered by branch protection (if we trust GitHub), and presumably in @imjasonh 's local branches as well (can you check?), which would rule out the commit being modified via compromise unless that attacker somehow compromised both our machines.

@imjasonh
Copy link
Member 

$ git show v0.8.0 | head -n 1
commit 82cabb40bae577ce3bc016e5939fd85889538e8b

Here too

$ git log  | grep -A 8 "commit 82ca"
commit 82cabb40bae577ce3bc016e5939fd85889538e8b
Author: jonjohnsonjr <jonjohnson@google.com>
Date:   Thu Jan 21 10:30:14 2021 -0800

    Fix GOROOT mismatch issues (#303)
    
    Print a warning if GOROOT is unset and ko's default build context
    differs from $(go env GOROOT) and use the result of $(go env GOROOT).

@jonjohnsonjr
Copy link
Collaborator

Looking at all the metadata github can give us, I see this:

  "created_at": "2021-01-21T18:30:14Z",
  "published_at": "2021-02-02T21:38:44Z",

The published_at time seems to correspond to the master -> main cutover, perhaps?

Another interested thing is the the target_commitish doesn't seem to be consistent if you look at all releases. Some are master and some are main. I'm not sure if someone re-triggered a release manually? Or if GitHub just did that automagically?

$ curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/google/ko/releases/37263023

{
  "url": "https://api.github.com/repos/google/ko/releases/37263023",
  "assets_url": "https://api.github.com/repos/google/ko/releases/37263023/assets",
  "upload_url": "https://uploads.github.com/repos/google/ko/releases/37263023/assets{?name,label}",
  "html_url": "https://github.com/google/ko/releases/tag/v0.8.0",
  "id": 37263023,
  "author": {
    "login": "github-actions[bot]",
    "id": 41898282,
    "node_id": "MDM6Qm90NDE4OTgyODI=",
    "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/github-actions%5Bbot%5D",
    "html_url": "https://github.com/apps/github-actions",
    "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
    "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
    "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
    "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
    "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
    "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
    "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
    "type": "Bot",
    "site_admin": false
  },
  "node_id": "MDc6UmVsZWFzZTM3MjYzMDIz",
  "tag_name": "v0.8.0",
  "target_commitish": "main",
  "name": "v0.8.0",
  "draft": false,
  "prerelease": false,
  "created_at": "2021-01-21T18:30:14Z",
  "published_at": "2021-02-02T21:38:44Z",
  "assets": [
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/31550843",
      "id": 31550843,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMxNTUwODQz",
      "name": "checksums.txt",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "text/plain; charset=utf-8",
      "state": "uploaded",
      "size": 472,
      "download_count": 8,
      "created_at": "2021-02-02T21:38:44Z",
      "updated_at": "2021-02-02T21:38:44Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.0/checksums.txt"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/31550845",
      "id": 31550845,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMxNTUwODQ1",
      "name": "ko_0.8.0_Darwin_x86_64.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 12333526,
      "download_count": 44,
      "created_at": "2021-02-02T21:38:46Z",
      "updated_at": "2021-02-02T21:38:47Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.0/ko_0.8.0_Darwin_x86_64.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/31550846",
      "id": 31550846,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMxNTUwODQ2",
      "name": "ko_0.8.0_Linux_arm64.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 10661570,
      "download_count": 1,
      "created_at": "2021-02-02T21:38:46Z",
      "updated_at": "2021-02-02T21:38:48Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.0/ko_0.8.0_Linux_arm64.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/31550844",
      "id": 31550844,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMxNTUwODQ0",
      "name": "ko_0.8.0_Linux_i386.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 11547398,
      "download_count": 1,
      "created_at": "2021-02-02T21:38:45Z",
      "updated_at": "2021-02-02T21:38:46Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.0/ko_0.8.0_Linux_i386.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/31550842",
      "id": 31550842,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMxNTUwODQy",
      "name": "ko_0.8.0_Linux_s390x.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 11347379,
      "download_count": 3,
      "created_at": "2021-02-02T21:38:44Z",
      "updated_at": "2021-02-02T21:38:45Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.0/ko_0.8.0_Linux_s390x.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/31550848",
      "id": 31550848,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMxNTUwODQ4",
      "name": "ko_0.8.0_Linux_x86_64.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 11757716,
      "download_count": 491,
      "created_at": "2021-02-02T21:38:47Z",
      "updated_at": "2021-02-02T21:38:49Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.0/ko_0.8.0_Linux_x86_64.tar.gz"
    }
  ],
  "tarball_url": "https://api.github.com/repos/google/ko/tarball/v0.8.0",
  "zipball_url": "https://api.github.com/repos/google/ko/zipball/v0.8.0",
  "body": "## Changelog\n\naf7fb47 Add s390x architecture to ko binary releases (#300)\n6586a72 Always use \"strict\" mode\ne521d76 Bump ggcr to v0.4.0\nfa39374 Document GOFLAGS\nd4fb288 Fix .goreleaser.yml (#285)\n82cabb4 Fix GOROOT mismatch issues (#303)\n0801316 Fix ko login (#298)\nd39f171 Fix the link to releases (#291)\nb6ed60a Format markdown\nc1c21e7 Format markdown\n0bfb6b0 Format markdown (#282)\n78b7bed Merge pull request #280 from jonjohnsonjr/document-goflags\nb898b77 Merge pull request #281 from jonjohnsonjr/strict-always\n5b7eaf7 Merge pull request #283 from knative-automation/auto-updates/common-actions\n4372e2a Merge pull request #284 from knative-automation/auto-updates/common-actions\nbd91eab Merge pull request #290 from knative-automation/auto-updates/format-markdown\ndfe3d51 Merge pull request #293 from jonjohnsonjr/bump-ggcr\n3c21033 Merge pull request #302 from knative-automation/auto-updates/format-markdown\n4f05ece Update common github actions\n77a7a50 Update common github actions\n34568ca Use remote.WithUserAgent where possible (#294)\n0d0ed4d doc: add homebrew install (#301)\n2f3c49e point to releases for installation (#289)\n\n"
}

@roopakv
Copy link
Author

roopakv commented Feb 22, 2021

definitely seems to be related to the branch name switch over.

One easy way to check might be to simply set up a repo and change the main branch and see what happens :P

@jonjohnsonjr
Copy link
Collaborator

I should probably cut v0.8.1 anyway to get the mips stuff out... I can do that and record the digest in this thread to see if this happens in the future?

@jonjohnsonjr
Copy link
Collaborator

ko-0.8.1.tar.gz

$ curl -s -L https://codeload.github.com/google/ko/tar.gz/v0.8.1 | sha256sum
8efe36bed8c367603b3b10a1db2b7e57bd01bf9eb9f48532ef6a7c7ba304732a  -

$ curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/google/ko/releases/38452069

{
  "url": "https://api.github.com/repos/google/ko/releases/38452069",
  "assets_url": "https://api.github.com/repos/google/ko/releases/38452069/assets",
  "upload_url": "https://uploads.github.com/repos/google/ko/releases/38452069/assets{?name,label}",
  "html_url": "https://github.com/google/ko/releases/tag/v0.8.1",
  "id": 38452069,
  "author": {
    "login": "github-actions[bot]",
    "id": 41898282,
    "node_id": "MDM6Qm90NDE4OTgyODI=",
    "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/github-actions%5Bbot%5D",
    "html_url": "https://github.com/apps/github-actions",
    "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
    "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
    "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
    "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
    "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
    "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
    "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
    "type": "Bot",
    "site_admin": false
  },
  "node_id": "MDc6UmVsZWFzZTM4NDUyMDY5",
  "tag_name": "v0.8.1",
  "target_commitish": "main",
  "name": "v0.8.1",
  "draft": false,
  "prerelease": false,
  "created_at": "2021-02-19T17:22:26Z",
  "published_at": "2021-02-22T21:52:52Z",
  "assets": [
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/32442558",
      "id": 32442558,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMyNDQyNTU4",
      "name": "checksums.txt",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "text/plain; charset=utf-8",
      "state": "uploaded",
      "size": 472,
      "download_count": 0,
      "created_at": "2021-02-22T21:52:52Z",
      "updated_at": "2021-02-22T21:52:53Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.1/checksums.txt"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/32442564",
      "id": 32442564,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMyNDQyNTY0",
      "name": "ko_0.8.1_Darwin_x86_64.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 12333522,
      "download_count": 0,
      "created_at": "2021-02-22T21:52:54Z",
      "updated_at": "2021-02-22T21:52:54Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.1/ko_0.8.1_Darwin_x86_64.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/32442557",
      "id": 32442557,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMyNDQyNTU3",
      "name": "ko_0.8.1_Linux_arm64.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 10661566,
      "download_count": 0,
      "created_at": "2021-02-22T21:52:52Z",
      "updated_at": "2021-02-22T21:52:53Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.1/ko_0.8.1_Linux_arm64.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/32442565",
      "id": 32442565,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMyNDQyNTY1",
      "name": "ko_0.8.1_Linux_i386.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 11547375,
      "download_count": 0,
      "created_at": "2021-02-22T21:52:54Z",
      "updated_at": "2021-02-22T21:52:55Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.1/ko_0.8.1_Linux_i386.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/32442563",
      "id": 32442563,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMyNDQyNTYz",
      "name": "ko_0.8.1_Linux_s390x.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 11347340,
      "download_count": 0,
      "created_at": "2021-02-22T21:52:53Z",
      "updated_at": "2021-02-22T21:52:54Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.1/ko_0.8.1_Linux_s390x.tar.gz"
    },
    {
      "url": "https://api.github.com/repos/google/ko/releases/assets/32442559",
      "id": 32442559,
      "node_id": "MDEyOlJlbGVhc2VBc3NldDMyNDQyNTU5",
      "name": "ko_0.8.1_Linux_x86_64.tar.gz",
      "label": "",
      "uploader": {
        "login": "github-actions[bot]",
        "id": 41898282,
        "node_id": "MDM6Qm90NDE4OTgyODI=",
        "avatar_url": "https://avatars.githubusercontent.com/in/15368?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/github-actions%5Bbot%5D",
        "html_url": "https://github.com/apps/github-actions",
        "followers_url": "https://api.github.com/users/github-actions%5Bbot%5D/followers",
        "following_url": "https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}",
        "gists_url": "https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/github-actions%5Bbot%5D/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/github-actions%5Bbot%5D/subscriptions",
        "organizations_url": "https://api.github.com/users/github-actions%5Bbot%5D/orgs",
        "repos_url": "https://api.github.com/users/github-actions%5Bbot%5D/repos",
        "events_url": "https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}",
        "received_events_url": "https://api.github.com/users/github-actions%5Bbot%5D/received_events",
        "type": "Bot",
        "site_admin": false
      },
      "content_type": "application/gzip",
      "state": "uploaded",
      "size": 11757727,
      "download_count": 0,
      "created_at": "2021-02-22T21:52:53Z",
      "updated_at": "2021-02-22T21:52:53Z",
      "browser_download_url": "https://github.com/google/ko/releases/download/v0.8.1/ko_0.8.1_Linux_x86_64.tar.gz"
    }
  ],
  "tarball_url": "https://api.github.com/repos/google/ko/tarball/v0.8.1",
  "zipball_url": "https://api.github.com/repos/google/ko/zipball/v0.8.1",
  "body": "## Changelog\n\n4ad3f11 Merge pull request #306 from ImJasonH/rename\nf25feec Merge pull request #308 from knative-automation/auto-updates/common-actions\nb8162cf Merge pull request #310 from knative-automation/auto-updates/common-actions\n12bbd4c Update common github actions\ndab4c5e Update common github actions\n8e1aaa1 Update common github actions (#311)\n746ec90 Update travis link to main branch\na6442e6 support goarch mips64le architecture. (#309)\n\n"
}

@jonjohnsonjr
Copy link
Collaborator

Interestingly, that doesn't include the mips binary, which was intended. 🤷

@Bo98
Copy link

Bo98 commented Feb 22, 2021
edited

Ah k8s.io/client-go is familiar! I've seen that code cause problems before. The problem I've seen before was due to k8s.io/client-go using a shorthand commit hash here:

gitVersion string = "v0.0.0-master+$Format:%h$"

The length of the shorthand commit hash is not constant. It varies depending on the number of commits in the repo - it lengthens as necessary to avoid hash conflicts.

When you download GitHub achives, these values are filled. In fact, k8s.io/client-go even documents this:

NOTE: The $Format strings are replaced during 'git archive'

But because the length of the shorthand hash can change over time, then as such so can the hash contained in the archive.

This has caused problems for many projects over the years. Ideally k8s.io/client-go would stop using short commit hashes but I'm not sure if any issue has ever been raised.

@jonjohnsonjr jonjohnsonjr mentioned this issue Feb 22, 2021
Closed
@imjasonh
Copy link
Member

This has caused problems for many projects over the years. Ideally k8s.io/client-go would stop using short commit hashes but I'm not sure if any issue has ever been raised.

Let's try: https://github.com/kubernetes/client-go/issues/934

@imjasonh imjasonh mentioned this issue Feb 23, 2021
Closed
@imjasonh
Copy link
Member

imjasonh commented Apr 2, 2021

I think we can close this, since we understand (I think) the underlying cause of the sha256 mismatch, and kubernetes/kubernetes#99376 should fix this (we think) for future releases.

Please reopen if you see this again, and thanks for the report. 👍

@imjasonh imjasonh closed this as completed Apr 2, 2021
This was referenced Apr 24, 2021
Merged
Closed
@t-lo t-lo mentioned this issue Dec 16, 2021
Merged
1 task
tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 16, 2021
@tormath1
app-emulation/containerd: update manifest
91d7a7b 
The length of the shorthand commit hash is not constant.
It varies depending on the number of commits in the repo and
it lengthens as necessary to avoid hash conflicts.

When you download GitHub achives, these values are filled.

See also:
* containerd/containerd#6382
* ko-build/ko#315 (comment)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 16, 2021
@tormath1
app-emulation/containerd: update manifest
c401c50 
The length of the shorthand commit hash is not constant.
It varies depending on the number of commits in the repo and
it lengthens as necessary to avoid hash conflicts.

When you download GitHub achives, these values are filled.

See also:
* containerd/containerd#6382
* ko-build/ko#315 (comment)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 16, 2021
@tormath1
app-emulation/containerd: update manifest
4b7c022 
The length of the shorthand commit hash is not constant.
It varies depending on the number of commits in the repo and
it lengthens as necessary to avoid hash conflicts.

When you download GitHub achives, these values are filled.

See also:
* containerd/containerd#6382
* ko-build/ko#315 (comment)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 16, 2021
@tormath1
app-emulation/containerd: update manifest
f6ad221 
The length of the shorthand commit hash is not constant.
It varies depending on the number of commits in the repo and
it lengthens as necessary to avoid hash conflicts.

When you download GitHub achives, these values are filled.

See also:
* containerd/containerd#6382
* ko-build/ko#315 (comment)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
t-lo pushed a commit to flatcar/scripts that referenced this issue Apr 13, 2023
@tormath1
app-emulation/containerd: update manifest
511f60c 
The length of the shorthand commit hash is not constant.
It varies depending on the number of commits in the repo and
it lengthens as necessary to avoid hash conflicts.

When you download GitHub achives, these values are filled.

See also:
* containerd/containerd#6382
* ko-build/ko#315 (comment)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@imjasonh @roopakv @Bo98 @jonjohnsonjr