Wrong hashes (from getmonero.org)

[nikitasius]

I downloaded:

• https://dlsrc.getmonero.org/cli/monero-linux-x64-v0.15.0.0.tar.bz2 (https://web.getmonero.org/downloads/#linux)
• https://downloads.getmonero.org/cli/monero-linux-x64-v0.15.0.0.tar.bz2 (https://github.com/monero-project/monero/releases)

website say:

Check sha256 and see this (only github's matches hashsum):

• 53d9da55137f83b1e7571aef090b0784d9f04a980115b5c391455374729393f3 monero-linux-x64-v0.15.0.0-github.tar.bz2
• b99009d2e47989262c23f7277808f7bb0115075e7467061d54fd80c51a22e63d monero-linux-x64-v0.15.0.0-site.tar.bz2

I look inside:

monero-linux-x64-v0.15.0.0-github

• 0d8e612321fac7acef02fc5024029663bd7831de8cd24ae980c59e6e6e77b2b8 LICENSE
• 2b05482894fae937a13f8b84209c6006cd1144db0205fa7ea6da0b82023e1b39 monero-blockchain-ancestry
• 2eb0087115b2d125987334158f7946b18c6c6a2abe33662164c6a95fe564fde1 monero-blockchain-depth
• ee7577d8f53485df902d8f706e3a1837a8a9e1add12f468bdfce52b93d74fc21 monero-blockchain-export
• f863333d2e6e7d283380a0a2bc9b128485020da63776317347144ecbabd5e9d5 monero-blockchain-import
• 2db50fc7cbaa15f8322ac2d5a27ac3e75dadd23cb32cacc9f2bd2097d741db39 monero-blockchain-mark-spent-outputs
• 14565c45fc6bd169ec1d94cb1a5b81bbac6ced59acabc264d360a34941a502ae monero-blockchain-prune
• 06177f7cd37a4878e5af2d79a75b48ec5c0492cc66e911ee416bfd8962a865df monero-blockchain-prune-known-spent-data
• a252531b84668e354ca36e1f12375ce3bdcb7061d81e76f0df736807c4ed77f0 monero-blockchain-stats
• 9fb26f5587f69cf85c9d548041b81e98590ec8c42ac5ff79b5421fcf02c0fcb4 monero-blockchain-usage
• b3f9ea5f196a9a67ae137b6c1f6916ff0c0cc836c1a225c96fe73d5ce50d1fed monerod
• a9de252a6f5409aa33fddb557071fb3a17ab7fc4c9e23e0e10494761f1aa2c6a monero-gen-ssl-cert
• bd1053ba7a1ecfece1676b294433a6b161049730c1ed9a566e762f6b3812a086 monero-gen-trusted-multisig
• 5decc690a63aab004bae261630980e631b9d37a0271bbe0c5b477feffcd3f8c2 monero-wallet-cli
• 7fb80cec9b4a33051d47e228eeedf001faa376b93c9c7f1ecc9280dc9dab9225 monero-wallet-rpc

monero-linux-x64-v0.15.0.0-site

• 0d8e612321fac7acef02fc5024029663bd7831de8cd24ae980c59e6e6e77b2b8 LICENSE
• 2b05482894fae937a13f8b84209c6006cd1144db0205fa7ea6da0b82023e1b39 monero-blockchain-ancestry
• 2eb0087115b2d125987334158f7946b18c6c6a2abe33662164c6a95fe564fde1 monero-blockchain-depth
• ee7577d8f53485df902d8f706e3a1837a8a9e1add12f468bdfce52b93d74fc21 monero-blockchain-export
• f863333d2e6e7d283380a0a2bc9b128485020da63776317347144ecbabd5e9d5 monero-blockchain-import
• 2db50fc7cbaa15f8322ac2d5a27ac3e75dadd23cb32cacc9f2bd2097d741db39 monero-blockchain-mark-spent-outputs
• 14565c45fc6bd169ec1d94cb1a5b81bbac6ced59acabc264d360a34941a502ae monero-blockchain-prune
• 06177f7cd37a4878e5af2d79a75b48ec5c0492cc66e911ee416bfd8962a865df monero-blockchain-prune-known-spent-data
• a252531b84668e354ca36e1f12375ce3bdcb7061d81e76f0df736807c4ed77f0 monero-blockchain-stats
• 9fb26f5587f69cf85c9d548041b81e98590ec8c42ac5ff79b5421fcf02c0fcb4 monero-blockchain-usage
• b3f9ea5f196a9a67ae137b6c1f6916ff0c0cc836c1a225c96fe73d5ce50d1fed monerod
• a9de252a6f5409aa33fddb557071fb3a17ab7fc4c9e23e0e10494761f1aa2c6a monero-gen-ssl-cert
• bd1053ba7a1ecfece1676b294433a6b161049730c1ed9a566e762f6b3812a086 monero-gen-trusted-multisig
• 7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31 monero-wallet-cli
• 7fb80cec9b4a33051d47e228eeedf001faa376b93c9c7f1ecc9280dc9dab9225 monero-wallet-rpc

Why monero-wallet-cli are different in those 2 releases?

[selsta]

I can confirm, hash doesn’t match.

[sedited]

The 53d9d... hash was verified independently in the gitian sigs repo and seems to be the correct one: https://github.com/monero-project/gitian.sigs/blob/master/v0.15.0.0-linux/hyc/monero-linux-0.15-build.assert#L6 .

[selsta]

Issue should be fixed now, hyc is looking at the bad binary.

[nikitasius]

yep it's correct now.

[trasherdk]

So. Do I need to do a recompile/redeploy while waiting for 15.0.1 ?
My version is Monero Carbon Chamaeleon' (v0.15.0.0-69c488a47)

[selsta]

My version is Monero Carbon Chamaeleon' (v0.15.0.0-69c488a47)

Looks good, no need to recompile.

[trasherdk]

Well. Compared, something changed:

A few minutes ago

$ sha1sum monero-v0.15.0.0/monerod 
e32220114d0c57886d16e50ac858edf9b1b22872  monero-v0.15.0.0/monerod

Compared to:
2-3 days ago

$ sha1sum ../build-monero-pool/usr/bin/monerod 
801706e2396d1a88475b5535247155ec147ae25c  ../build-monero-pool/usr/bin/monerod

Both are off clean git clone. Why are they not the same?

[selsta]

Normal builds are not guaranteed to be deterministic. This issue here is about the getmonero.org download, not self compiled binaries.

[nikitasius]

@trasherdk @selsta so.. still an issue (for old users), i keep it open?

[trasherdk]

I do realize that, your deterministic build environment, is very different from mine.
Doing a new clone/build of the pool version, tells me that I have to take another look at the build scripts.
Rebuilding both still yields different (same as before) results.
At least they match the previous results :)

$ sha1sum monero-v0.15.0.0/monerod             
e32220114d0c57886d16e50ac858edf9b1b22872  monero-v0.15.0.0/monerod
$ sha1sum ../build-monero-pool/usr/bin/monerod 
801706e2396d1a88475b5535247155ec147ae25c  ../build-monero-pool/usr/bin/monerod

[selsta]

@trasherdk monero does support reproducible builds, see https://github.com/monero-project/monero/tree/master/contrib/gitian

[trasherdk]

@selsta Yes, I know. But I'm not about to change my servers to Debian, just to build a Monero.
All my servers are running Slackware x64 14.2. I know. Old school, but that's what I like.

[scottAnselmo]

Is there a copy of the bad binary somewhere for anyone else to investigate by downloading onto a VM and decompiling?