SHA256 mismatch for libdap 3.19.1

[hectorlee]

There's a SHA256 mismatch for libdap. Encountered this while installing gdal via homebrew on Mac OS 10.10.5. Was asked to rule out rule out malicious circumstances and to find out why the file changed.

brew install libdap
==> Downloading https://www.opendap.org/pub/source/libdap-3.19.1.tar.gz
######################################################################## 100.0%
Error: SHA256 mismatch
Expected: 5215434bacf385ba3f7445494ce400a5ade3995533d8d38bb97fcef1478ad33e
Actual: fb7014b6047cf3fa47d05c0faf258636f664c5fc232ff0886a78dfc5aae29f8f

[jgallagher59701]

What is the source of the expected and actual values?

I downloaded the file and its sig from the web site and the tar.gz verifies:

edamame:libdap4 jimg$ gpg --verify /Users/jimg/Downloads/libdap-3.19.1.tar.gz.sig /Users/jimg/Downloads/libdap-3.19.1.tar.gz
gpg: Signature made Sun Dec 3 13:45:32 2017 MST using DSA key ID 737C24C4
gpg: Good signature from "OPeNDAP Security (OPeNDAP, Inc.) security@opendap.org"

[hectorlee]

The expected value were listed in the homebrew formula which I presume was entered by the author of the formula. The concern is if the file was changed maliciously thus causing the checksum to no longer match.

The issue I raised in the homebrew repo can be found here

Here is the formula for libdap in homebrew.
https://github.com/Homebrew/homebrew-core/blob/e7c2ad2850a1beb4b7299c5d0c27520ee80bd2ce/Formula/libdap.rb

[ilovezfs]

commit e7c2ad2850a1beb4b7299c5d0c27520ee80bd2ce
Author: BrewTestBot <brew-test-bot@googlegroups.com>
Date:   Sat Sep 30 14:33:47 2017 +0000

    libdap: update 3.19.1 bottle.

commit d4326b0430500f51275da33f2b1bc372a3896fe6
Author: ilovezfs <ilovezfs@icloud.com>
Date:   Sat Sep 30 06:23:57 2017 -0700

    libdap 3.19.1
    
    Closes #18773.
    
    Signed-off-by: ilovezfs <ilovezfs@icloud.com>

So it seems someone decided to overwrite the original tarball two months after it was originally posted with a different tarball.

[ilovezfs]

Note that for security reasons we cannot update the checksum in Homebrew until we understand what exactly happened here.

Also, note that Homebrew/homebrew-core#18773 was green on our CI meaning the checksum in the formula matched both my local download and the independent downloads on our three CI servers.

[hectorlee]

@ilovezfs thanks for the investigation. Hope it could be resolved soon. It was blocking the completion of my install for gdal. Will look for another solution in the mean time. Thanks.

[jgallagher59701]

Fixed. Here's what happened: In late Sept we planned on releasing our data server and pushed libdap-3.19.1 up to our ftp site. But other commitments meant that some issues in the rest of the server had to wait to be fixed. As a result we didn't release the server until early Dec and I (mistakenly) built a new source dist for libdap on a different host. I've replaced that with the original one and the sha256 of the original matches the one homebrew expects. I also checked that the package that you got that failed the check is not the result of malicious action - it was the source dist I built in early Dec.

Please let me know if this does not fix your build issues.

[ilovezfs]

Thanks for the detailed explanation @jgallagher59701! It looks like we're all good again:

iMac-TMP:~ joe$ brew fetch -fs libdap
==> Downloading https://www.opendap.org/pub/source/libdap-3.19.1.tar.gz
######################################################################## 100.0%
Downloaded to: /Users/joe/Library/Caches/Homebrew/libdap-3.19.1.tar.gz
SHA256: 5215434bacf385ba3f7445494ce400a5ade3995533d8d38bb97fcef1478ad33e
iMac-TMP:~ joe$