[Bug]: hash of nextcloud-23.0.12.zip aka latest-23.zip does not match with provided md5, sha256 sha512 hashes on download.nextcloud.com

[ernolf]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Update from older versions get in trouble.
See https://help.nextcloud.com/t/crc-failed-on-file-nextcloud-23-0-12-zip/167176

Steps to reproduce

archive="nextcloud-23.0.12.zip"
server='https://download.nextcloud.com/server/releases'
wget $server/$archive
# check integrity of downloaded file 
for hash in md5 sha256 sha512; do
    [ "$(eval ${hash}sum $archive | awk '{print $1}')" = "$(curl -s $server/$archive.$hash | awk '{print $1}')" ] && echo "$hash match" || echo "hash mismatch"
done

or

archive="latest-23.zip"
server='https://download.nextcloud.com/server/releases'
wget $server/$archive
# check integrity of downloaded file 
for hash in md5 sha256 sha512; do
    [ "$(eval ${hash}sum $archive | awk '{print $1}')" = "$(curl -s $server/$archive.$hash | awk '{print $1}')" ] && echo "$hash match" || echo "hash mismatch"
done

Expected behavior

Hash match with the provided hashes

Installation method

None

Nextcloud Server version

25

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[1337v411]

wget https://download.nextcloud.com/server/releases/nextcloud-23.0.12.zip

unzip -t nextcloud-23.0.12.zip | grep -v "OK$"
Archive:  nextcloud-23.0.12.zip
    testing: nextcloud/core/doc/admin/configuration_files/external_storage/local.html   bad CRC 9e2e9359  (should be 05fb6ae6)
 bad CRC 9e2e9359  (should be 05fb6ae6)
At least one error was detected in nextcloud-23.0.12.zip.

...so, there's an error in the zipfile itself.

[ernolf]

gpg signature does not match either:

~/download.nextcloud.com# gpg --fetch-keys https://nextcloud.com/nextcloud.asc
gpg: Schlüssel D75899B9A724937A: Öffentlicher Schlüssel "Nextcloud Security <security@nextcloud.com>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:               importiert: 1

~/download.nextcloud.com# gpg --verify nextcloud-23.0.12.zip.asc nextcloud-23.0.12.zip
gpg: Signatur vom Do 08 Dez 2022 14:18:39 CET
gpg:                mittels RSA-Schlüssel 28806A878AE423A28372792ED75899B9A724937A
gpg: FALSCHE Signatur von "Nextcloud Security <security@nextcloud.com>" [unbekannt]

[Bradley-Liu]

nextcloud-23.0.12.zip md5(8bbea33b2f981d965e59a6b640cb2a0e) does not match the md5 file(47d3987d6bad3238d512cb48e6ab084b ) in releases directory.
udpate failed. please correct this issue.
Current version is 22.2.10.

Update to Nextcloud 23.0.12 available. (channel: "stable")
Following file will be downloaded automatically: https://download.nextcloud.com/server/releases/nextcloud-23.0.12.zip
Open changelog ↗

Steps that will be executed:
[✔] Check for expected files
[✔] Check for write permissions
[✔] Create backup
[✔] Downloading
[ ] Verify integrity
[ ] Extracting
[ ] Enable maintenance mode
[ ] Replace entry points
[ ] Delete old files
[ ] Move new files in place
[ ] Done

Continue update? [y/N] y

Info: Pressing Ctrl-C will finish the currently running step and then stops the updater.

[✔] Check for expected files
[✔] Check for write permissions
[✔] Create backup
[✔] Downloading
[✘] Verify integrity failed
Signature of update is not valid

Update failed. To resume or retry just execute the updater again.
root@BigBuffalo:/mnt/user/nextcloud/updater-oce5sgbmbhz4# docker exec -it nextcloud updater.phar
Nextcloud Updater - version: v20.0.0beta4-11-g68fa0d4

[tflidd]

I put the security label because these archives could be compromised.

[Neomedes]

After installing and checking the installation in the admin overview, the following file may be corrupted:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- INVALID_HASH
		- core/doc/admin/configuration_files/external_storage/local.html

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/doc/admin/configuration_files/external_storage/local.html] => Array
                        (
                            [expected] => ad210d923dbb3f29ec922c13e1929998cf1997e369defb9e5ed7879a45a6c9055d5a65dda5a6b1c5a21b8290392a896be7603692bdfe9b4ef1231de368356715
                            [current] => 2d2198d5c9e74576ff8847760efed4ef5a886db358fa68c70b1f9ff865baed2eb2f3083afd42ecd3e82567fb988d2f1135e2417c97a880c992126f90e3ce65e8
                        )

                )

        )

)

[solracsf]

Cc @blizzz maybe you can take a look.

[stratege1401]

Hello,

this could be link to #39815 as i tried a manual update using the zip file for 23.0.0.2

en up having failed integrity files:

Technical information

The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results

• text
  • EXTRA_FILE
    • l10n/lo.json
    • l10n/lo.js
    • l10n/kn.js
    • l10n/kn.json
• logreader
  • EXTRA_FILE
    • l10n/ur_PK.js
    • l10n/ps.json
    • l10n/ast.json
    • l10n/gd.js
    • l10n/bs.js
    • l10n/ps.js
    • l10n/tk.json
    • l10n/ms_MY.js
    • l10n/bs.json
    • l10n/uz.js
    • l10n/ms_MY.json
    • l10n/gd.json
    • l10n/ast.js
    • l10n/ur_PK.json
    • l10n/uz.json
    • l10n/tk.js

Raw output

Array
(
[text] => Array
(
[EXTRA_FILE] => Array
(
[l10n/lo.json] => Array
(
[expected] =>
[current] => 2d1c880598c741a8f06d8e2df1d9288da4d649104784a660b2939bd2d9b22181bb498553cebd38bca188dbbe3e69ce090d1c99420ab9d2a0182c50b20458485a
)

                [l10n/lo.js] => Array
                    (
                        [expected] => 
                        [current] => 1a1fc0648704adbc0ae628fe6cc393b27ae2e539980041c6aa36d71c7f4fe81700d85d686ba3712c521058fd450c7aa529a313d9376a9c66d9f4717ced4f0894
                    )

                [l10n/kn.js] => Array
                    (
                        [expected] => 
                        [current] => cbc0b63eff4c7fc2eb38dbe17ff42d1392bd414031df437bc57d693f82a550baaa43d8c44b3b071fc8241d10ed31823aaa7123d45bf7aca50893f5e05e84e9b6
                    )

                [l10n/kn.json] => Array
                    (
                        [expected] => 
                        [current] => ac3184cea04f9ac66c087827525680eafe67679e1796f037e90face0c3f687151a33396f6376e13c06c7ff191f90a336f3ccf1121c78732c4a83e527f640990f
                    )

            )

    )

[logreader] => Array
    (
        [EXTRA_FILE] => Array
            (
                [l10n/ur_PK.js] => Array
                    (
                        [expected] => 
                        [current] => 0a586c16b00307aed31e7de98e9395f499d8f76d5d9e7b635eff68380fa7e2ab31f8c55139c95ad265e83990a1825cd3d1a118bfc5ddd3d8d5e6243bddf07e11
                    )

                [l10n/ps.json] => Array
                    (
                        [expected] => 
                        [current] => 5a53819d762d349c401fef7f512be552dfbed6ce4075de86cf2a3587daa06760e02020b84d23ff3a8452ab1b6339e886beaa43bb0701391ddf321f18d3a64399
                    )

                [l10n/ast.json] => Array
                    (
                        [expected] => 
                        [current] => fdaf72f9f3b737607ae3604abb35a15b180a08f0844f10f3c9faaa53e458a9d444a6796d5408306332ed4997ac11e3e05317fa48665b870ca16cfd43e5774474
                    )

                [l10n/gd.js] => Array
                    (
                        [expected] => 
                        [current] => b81580894705235ea946640e3a04ebd6121f0c1f52bc738c19b436232188629c58172e89a3bf25b4afd77005a0d632e6c1cda2eb4590d6ae4ce2cc494a64bc9e
                    )

                [l10n/bs.js] => Array
                    (
                        [expected] => 
                        [current] => a69157cd08b3d882d8e9050175406bafe139d81e935202e5600a45ff3b7478f4318c51b630bbb3b816c6d42a0ce8b5d7be84dab8389a238bb9623682b7ce25dc
                    )

                [l10n/ps.js] => Array
                    (
                        [expected] => 
                        [current] => 2d77fe3a36cc3bd204bad283e22667cf8dbc8a73d837a7b4bfa2a7185dc77ac5fdcadb597f2b7ec1d232aabcd8ef7cc169d46dd1564c71b5edabe06875803959
                    )

                [l10n/tk.json] => Array
                    (
                        [expected] => 
                        [current] => ca7a96aabf9a940714178345ffd829b773ad28f9e0ca643ae773944ebb9fe7be3888ba9f412fb67cda6b0f8bfcabe1ee7d14009d9de2f501e099ae057b10caec
                    )

                [l10n/ms_MY.js] => Array
                    (
                        [expected] => 
                        [current] => be80e4684e9ddfd4a6fbbb83372a9db2e136c829c1b980f54bb2408d57fc98a36c2d2d9d822a1b62dd90b309dd344ef78815fd674c3c378f0bea701f1ab3764a
                    )

                [l10n/bs.json] => Array
                    (
                        [expected] => 
                        [current] => 6210726661049794d06fa07b3673ab15916716ff8d289323fa447f4eec14841352c60756b4c47c2dec6d27415a92f0daeb8114353289f7a4751ff1cb701a55f9
                    )

                [l10n/uz.js] => Array
                    (
                        [expected] => 
                        [current] => 17d7655dbb8d488c482b96dfc337ca5e7de0737291479aedca94cffa01839a6ffebf1ea60ee8069ddc09fcf6722d4d6de3d6e4a71d06db0f0638c5e634d9524c
                    )

                [l10n/ms_MY.json] => Array
                    (
                        [expected] => 
                        [current] => 369095d1bc8ce9d812201a3df24477588367643c20b281d9227aaa5162ba4d56b107da20cf775addbf819e31b2b3f8a92b58a7d9009f13e52c140e4acf2b8d9a
                    )

                [l10n/gd.json] => Array
                    (
                        [expected] => 
                        [current] => df3097988a5b84de9bba918bab15f7282c3f8d43ec2c2e08c85525f769891ed832fc35b89c9bd03c162192c48b6cdf049a00769ed56ffbdcbff393452fea468d
                    )

                [l10n/ast.js] => Array
                    (
                        [expected] => 
                        [current] => 7ffca80754d3fc8f00312bbb4e521fa3bfca0542ddf2a78fc262fef2d10a83a205dbe697cda9625348c89b552c7aa8a015e8a3e1c3f9e6dd307cf2a93364bf79
                    )

                [l10n/ur_PK.json] => Array
                    (
                        [expected] => 
                        [current] => b146d0a79ef3acd6ca093227a5585e5a3371b3bdae058a61a8b73961ad14e669b516f05a1c546c76ed7e43a461cf46f2f94eaed3c780b881312b327b039afd0f
                    )

                [l10n/uz.json] => Array
                    (
                        [expected] => 
                        [current] => b7cd51dd637add6c12973895506e8550373cfa479260ffea3187068559942e799b6ebe2cfddc710f46b7edd19ea94c1d8e8598a206e0ba58b690cd41cceaa0bd
                    )

                [l10n/tk.js] => Array
                    (
                        [expected] => 
                        [current] => 25c9a051bd45f0666d6ad180035f29c37efe54218fa88701878d2f9f9e17e4aafa722c0d3f8ec77410843ea17284b09908f8a07f265977b20c2b0c7987894279
                    )

            )

    )

)

[nilsnh]

I just ran the steps to reproduce this issue and the checksums now match. Is it safe to consider this issue resolved?