codeworld icon indicating copy to clipboard operation
codeworld copied to clipboard
verified publisher icon google

Getting a validation warning for markdeep script

Open cdsmith opened this issue 5 years ago • 3 comments 

./casual-effects.com/markdeep/latest/markdeep.min.js: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
DANGER: Validation failed for downloaded third-party code; tampered with?

It looks like this pulls the latest version, and validates against a checksum, so it will start failing any time a new markdeep is released. We should either pin the version, or stop validating the checksum. Pinning the version is the safer choice, but I suddenly realize this is volunteering me for a pretty tedious job constantly trying to stay up to date with security bugs and such in downstream libraries. That sucks.

cdsmith avatar Sep 26 '20 16:09 cdsmith

FYI @jbash ; can you remind me how to fix this checksum?

cdsmith avatar Sep 26 '20 16:09 cdsmith

To reset the checksums for all mirrored files to match whatever the Web is providing at the moment:

  1. Erase the existing saved checksums: "rm build/mirrored/sums.txt; touch build/mirrored/sums.txt". You must empty the file; if you delete it, then it'll get just get recreated with the old checksums.
  2. Run "mirror/get_mirrored"
  3. Copy the newly updated build/mirrored/sums.txt to mirror/sums.txt.frozen
  4. Commit mirror/sums.txt.frozen

To update the checksum for just one file, you can to the same procedure, except to edit the line for that file out of build/mirrored/sums.txt, instead of completely emptying the file.

You can also manually edit mirror/sums.txt.frozen, delete build/mirrored/sums.txt, and rerun the download.

If you completely remove mirror/sums.txt.frozen from the repository, I believe that each new tree checked out from Git will just quietly download the current version of every file and record its present checksum in build/mirrored/sums.txt, so it's possible to make each tree do everything on a trust-on-first-use basis. I'm pretty sure I tested that.

NB: mirror/get_mirrored will always download whatever's on the Web even if the checksums don't match; you may or may not see that as the right behavior.

jbash avatar Sep 28 '20 19:09 jbash

Oh, and I think some of the CodeWorld content files still pin the checksums for some of the mirrored objects. They did before and I don't think I removed that. So even if the mirroring code accepts an update, the user's Web browser may still reject it.

jbash avatar Sep 28 '20 19:09 jbash