Bug 527060 - Request for checksum tool for Windows and clarification of instructions for download validation on Windows
Summary: Request for checksum tool for Windows and clarification of instructions for d...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: fedora-websites
Version: devel
Hardware: All
OS: Windows
medium
low
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Karsten Wade
URL:
Whiteboard:
Depends On:
Blocks: 532143
TreeView+ depends on / blocked
 
Reported: 2009-10-03 20:05 UTC by lothaine
Modified: 2014-06-27 23:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 532143 (view as bug list)
Environment:
Last Closed: 2014-06-27 23:12:02 UTC


Attachments (Terms of Use)
sha256sum.exe (Windows binary) (219.39 KB, application/octet-stream)
2009-10-30 19:48 UTC, Richard W.M. Jones
no flags Details
coreutils 7.2 patch (3.03 KB, patch)
2009-10-30 19:55 UTC, Richard W.M. Jones
no flags Details | Diff
coreutils-7.6.patch (3.28 KB, patch)
2009-11-02 11:56 UTC, Richard W.M. Jones
no flags Details | Diff

Description lothaine 2009-10-03 20:05:03 UTC
Description of problem:

I am trying to bootstrap a Fedora installation from Windows.  I would like to offer the following feedback based on my experience.

1.  It would be much more convenient if there were a Windows utility for computing checksums available from the Fedora website.  Yes, there are links to other websites that offer such tools, but this significantly reduces the amount of trust one can place in the tools, especially since they are not typically mainstream, high profile sites.  The page (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html) even has a prominent warning: "CAVEAT EMPTOR The Fedora Project and Red Hat Inc.. have no control over external sites such as the ones listed above, or the programs they provide" in reference to links to Windows checksum tools.

2. From the home page I first clicked on "Get Fedora" in the sidebar.  After downloading the disc image, I clicked on "Verify your download" which led me to (http://fedoraproject.org/en/verify).  At the top of this page was a link for Windows users with the text "Windows user? Follow these instructions instead." that led to (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html).  But this page for Windows users was not self contained as the word "instead" implied, since it did not have links to the checksum files.  It would clarify navigation to have all the information needed to verify the download on a single page, first presenting the checksum files, and then offering a choice between Linux or Windows for instructions on how to compute the checksum.


Version-Release number of selected component (if applicable):

The fedoraproject.org site as of the submission of this bug, and Fedora 11.

Comment 1 eric 2009-10-30 17:28:00 UTC
I'm going to take this for action and see if we can come up with a best fix.  I don't know that we'll be able to provide Windows software for validating the checksum, however.

Comment 2 Todd Zullinger 2009-10-30 18:04:23 UTC
Thanks for looking at this Eric.  It still gets brought up to webmaster@fp.o regularly.

Is building and hosting a Windows executable for sha*sum too difficult or is it forbidden by policy/legal?  Just curious, as I don't have any Windows boxes to care about :).

Comment 3 Paul W. Frields 2009-10-30 18:06:54 UTC
MinGW may make it possible to create such a thing, and there should be no policy or legal bar to hosting a Windows executable for purposes of verifying a download of Fedora media.  CC'ing rjones, an oracle of MinGW knowledge, for a more learned answer.

Comment 4 Richard W.M. Jones 2009-10-30 18:17:36 UTC
Don't know about the legal issues, but technically it's
trivial to create a Windows sha*sum binary from a Fedora
build system -- that's the whole point of the Fedora MinGW
project!

Probably it's as easy as:

  i686-pc-mingw32-gcc sha256sum.c -o sha256sum.exe

but maybe the source will need a few small changes.

CCing epienbro.

Comment 5 Richard W.M. Jones 2009-10-30 18:44:13 UTC
I talked to Jim Meyering about this and confirmed with
my own tests that coreutils is quite easy to cross-compile,
particularly if you just want the simple programs like
sha*sum.

I got it working by doing:

$ mingw32-configure
$ make -C lib
$ make -C src sha256sum.exe

(taking an axe to a few bits that didn't compile), and
after about 10 minutes I ended up with:

coreutils-7.2$ ll src/sha256sum.exe 
-rwxrwxr-x 1 rjones rjones 224656 2009-10-30 18:35 src/sha256sum.exe
coreutils-7.2$ file src/sha256sum.exe 
src/sha256sum.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

Copying that file over to another machine that has Wine
installed on it gives me:

$ wine ./sha256sum.exe /etc/motd 
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 */etc/motd

Comment 6 Richard W.M. Jones 2009-10-30 18:45:00 UTC
I should probably add that the SHA256 sum does agree
with the one from the equivalent Linux native utility :-)

Comment 7 eric 2009-10-30 19:02:37 UTC
@Richard
Can you provide the .exe binary for the 256 version and attach it to this ticket?  I want to play with mingw some but I want to make sure we have something that works for the webpage.  Thanks!

Comment 8 Todd Zullinger 2009-10-30 19:03:50 UTC
Awesome work Rich!  I suspected this would be possible with MinGW, but I didn't think you'd make it look so trivial to achieve. ;)

Comment 9 Richard W.M. Jones 2009-10-30 19:48:35 UTC
Created attachment 366853 [details]
sha256sum.exe (Windows binary)

Here's the binary that I built in the earlier comment.

Although really we shouldn't be pushing unknown binaries
around the place, but should make this a regular part of the
build process for the live CD or whatever.

Comment 10 Richard W.M. Jones 2009-10-30 19:55:29 UTC
Created attachment 366854 [details]
coreutils 7.2 patch

Just for completeness, here is the patch to coreutils 7.2
to get it to cross compile.  (Recall the command you would
use is: mingw32-configure && make)

It's a complete "hatchet job" on the source, not suitable
for upstreaming.  And the reason it's against the old
coreutils 7.2 was just because that's what I happened to
have on my local machine.

To do this properly will require a few fairly small fixes
to the configure.ac to get it to work properly in the cross-
compile mode, or else you can "seed" correct choices for
autotools by setting ac_* environment variables appropriately.

Comment 11 Ruediger Landmann 2009-10-30 20:52:45 UTC
Just noting that the F12 version of the doc has a link to a cross-compiled version and a GUI tool for validating on Windows:

http://docs.fedoraproject.org/readme-burning-isos/en-US-draft.html#sect-Burning_ISO_images_to_disc-Validating_the_Files

But it would no doubt be nice to host a tool ourselves that we could really vouch for :)

Comment 12 eric 2009-10-30 21:00:33 UTC
(In reply to comment #11)
> Just noting that the F12 version of the doc has a link to a cross-compiled
> version and a GUI tool for validating on Windows:
> 
> http://docs.fedoraproject.org/readme-burning-isos/en-US-draft.html#sect-Burning_ISO_images_to_disc-Validating_the_Files
> 
> But it would no doubt be nice to host a tool ourselves that we could really
> vouch for :)  

Yeah, I think that is the request.  I'll update the readme-burning-isos guide as soon as we get all that straightened out.

Comment 13 Richard W.M. Jones 2009-11-02 11:56:35 UTC
Created attachment 367118 [details]
coreutils-7.6.patch

Updated patch which will cross-compile the checksum programs
of coreutils 7.6.

(1) Download coreutils 7.6 from ftp://ftp.gnu.org/gnu/coreutils/

(2) Apply this patch to the unpacked source.

(3) Make sure you have up to date 'mingw32-gcc' package installed.
(Maybe some other mingw32-* libraries are needed too?)

(4) Do:

  ./BUILD

(5) If it builds successfully you should see:

-rwxrwxr-x 1 rjones rjones 247972 2009-11-02 11:52 ./src/sha1sum.exe
-rwxrwxr-x 1 rjones rjones 320902 2009-11-02 11:52 ./src/sha512sum.exe
-rwxrwxr-x 1 rjones rjones 215510 2009-11-02 11:52 ./src/cksum.exe
-rwxrwxr-x 1 rjones rjones 256902 2009-11-02 11:52 ./src/sha224sum.exe
-rwxrwxr-x 1 rjones rjones 320902 2009-11-02 11:52 ./src/sha384sum.exe
-rwxrwxr-x 1 rjones rjones 256902 2009-11-02 11:52 ./src/sha256sum.exe
-rwxrwxr-x 1 rjones rjones 243869 2009-11-02 11:52 ./src/md5sum.exe

Comment 14 Todd Zullinger 2009-11-20 23:23:59 UTC
Rich,

Many thanks for your incredibly helpful patch and build script.  I played with the the other week and then didn't have time to get it finalized prior to the release of F-12.  In the process, I noticed that the build failed without mingw32-gettext.  But with that, the binary had a requirement on libintl-8.dll.  I further patched src/system.h in coreutils so that it will build without gettext.  I believe passing --disable-nls worked as well, but I didn't experiment all that long.

In order to have something which can be independently verified, I made a mingw32-sha256sum package that can be built in koji.  The spec file, srpm, and a scratch build are available at:

http://tmz.fedorapeople.org/specs/mingw32-sha256sum.spec
http://tmz.fedorapeople.org/packages/mingw32-sha256sum-7.6-1.fc12.src.rpm
http://koji.fedoraproject.org/koji/taskinfo?taskID=1820614

Comments or corrections for this package would be most welcome.  I've used it to verify Fedora-11-i686-Live-CHECKSUM as well as generation an identical sum for the corresponding Fedora-11-i686-Live.iso.

The Fedora-12 *-CHECKSUM files don't fare as well because they lack the * to specify that they should be checked in binary mode.  Adding that, I can verify Fedora-12-i686-Live-CHECKSUM.

I only tested this on Windows XP, 32 bit.  Testing on other versions and architectures would be great.

Comment 15 Richard W.M. Jones 2009-11-24 10:19:29 UTC
(In reply to comment #14)
> Rich,
> 
> Many thanks for your incredibly helpful patch and build script.  I played with
> the the other week and then didn't have time to get it finalized prior to the
> release of F-12.  In the process, I noticed that the build failed without
> mingw32-gettext.  But with that, the binary had a requirement on libintl-8.dll.
>  I further patched src/system.h in coreutils so that it will build without
> gettext.  I believe passing --disable-nls worked as well, but I didn't
> experiment all that long.

You can check the DLLs required by a random *.exe file by doing:

$ i686-pc-mingw32-objdump -p /usr/i686-pc-mingw32/sys-root/mingw
/bin/sha256sum.exe | grep 'DLL.Name'
	DLL Name: libintl-8.dll
	DLL Name: KERNEL32.dll
	DLL Name: msvcrt.dll
	DLL Name: msvcrt.dll

So I note that libintl-8.dll is still required.  Maybe that's
because I had mingw32-gettext installed when I built the SRPM.
Of the DLLs above, Windows users won't have libintl-8.dll, but
they will have all the others.

> In order to have something which can be independently verified, I made a
> mingw32-sha256sum package that can be built in koji.  The spec file, srpm, and
> a scratch build are available at:
> 
> http://tmz.fedorapeople.org/specs/mingw32-sha256sum.spec
> http://tmz.fedorapeople.org/packages/mingw32-sha256sum-7.6-1.fc12.src.rpm
> http://koji.fedoraproject.org/koji/taskinfo?taskID=1820614

Spec file looks fine.  I also rebuilt your *.src.rpm file
locally and verified that it works, apart from the libintl-8.dll
problem.

I should just say again that the patch (comment 13) is a big
hack and likely to break on future versions of coreutils.

> Comments or corrections for this package would be most welcome.  I've used it
> to verify Fedora-11-i686-Live-CHECKSUM as well as generation an identical sum
> for the corresponding Fedora-11-i686-Live.iso.
> 
> The Fedora-12 *-CHECKSUM files don't fare as well because they lack the * to
> specify that they should be checked in binary mode.  Adding that, I can verify
> Fedora-12-i686-Live-CHECKSUM.
> 
> I only tested this on Windows XP, 32 bit.  Testing on other versions and
> architectures would be great.  

If it works on Windows XP / 32, then it should work everywhere ...

Comment 16 Erik van Pienbroek 2009-11-24 11:22:58 UTC
(In reply to comment #15)
> You can check the DLLs required by a random *.exe file by doing:
> 
> $ i686-pc-mingw32-objdump -p /usr/i686-pc-mingw32/sys-root/mingw
> /bin/sha256sum.exe | grep 'DLL.Name'
>  DLL Name: libintl-8.dll
>  DLL Name: KERNEL32.dll
>  DLL Name: msvcrt.dll
>  DLL Name: msvcrt.dll
> 
> So I note that libintl-8.dll is still required.  Maybe that's
> because I had mingw32-gettext installed when I built the SRPM.
> Of the DLLs above, Windows users won't have libintl-8.dll, but
> they will have all the others.

The libintl-8.dll dependency can also be eliminated by using the mingw32-gettext-static package. You might need to use the '-static' libtool parameter to perform a static compilation.

Comment 17 Todd Zullinger 2009-11-24 13:46:30 UTC
> You can check the DLLs required by a random *.exe file by doing:

Ahh, handy.  Don't go showing me too many things like that, or
I'll start building all sorts of MingW tools to play with. ;)

The packages I built locally and via koji don't have the
lilbintl-8.dll dep (mingw32-gettext isn't on my system nor in
the buildroot):

i686-pc-mingw32-objdump -p mingw32-sha256sum-7.6-1.fc12.noarch/usr/i686-pc-mingw32/sys-root/mingw/bin/sha256sum.exe | grep -i 'DLL Name:'
	DLL Name: KERNEL32.dll
	DLL Name: msvcrt.dll
	DLL Name: msvcrt.dll

> I should just say again that the patch (comment 13) is a big
> hack and likely to break on future versions of coreutils.

Perhaps future coreutils versions will build without as much
patching for MingW?  For now though, this is a huge
improvement over asking users to download binaries that we
have no control over, "big hack" or not.

I think I just need to talk to some infrastructure folks about
getting a build that we can keep around for others to verify
against, then upload the resulting sha256sum.exe somewhere
like fp.o/static/tools/sha256sum.exe.  Then we can update
various bits of documentation and have a drink.

Comment 18 Pete Travis 2013-06-17 15:31:52 UTC
Is there anyone working on this, or an interest in doing so? If not, can we close the bug?

Comment 19 Richard W.M. Jones 2013-06-17 15:48:55 UTC
Not as far as I know.

The current advice points to some external tools:

https://fedoraproject.org/en/verify ->

https://docs.fedoraproject.org/en-US/Fedora/18/html/Burning_ISO_images_to_disc/sect-Burning_ISO_images_to_disc-Validating_the_Files-Validating_in_the_Windows_Graphical_Environment.html

I don't have Windows so I can't tell you if these tools
really work, nor if it is still worth replacing the external
tools with a *.exe file that Fedora builds.

But since the bug has been open for aeons and no one has
stepped up to do the work, I suggest closing it.  It can
always be reopened.

Comment 20 Pete Travis 2014-06-27 23:12:02 UTC
This has gone stale. If the issue still needs work, let's discuss it on a list somewhere.


Note You need to log in before you can comment on or make changes to this bug.