https://pulumi.com logo
#general
Title
# general
a

adorable-gpu-98268

02/28/2022, 10:22 AM
Hi, it seems to me the checksums for pulumi 3.25.0 for linux-x64 do not match the file:
Copy code
curl -O "<https://get.pulumi.com/releases/sdk/pulumi-v3.25.0-linux-x64.tar.gz>"
curl -O "<https://get.pulumi.com/releases/sdk/pulumi-3.25.0-checksums.txt>"
sha256sum -c pulumi-3.25.0-checksums.txt
returns:
Copy code
...
sha256sum: WARNING: 1 computed checksum did NOT match
e

echoing-dinner-19531

02/28/2022, 10:28 AM
Odd, checks out ok to me and matches what our release job printed:
Copy code
sha256sum pulumi-v3.25.0-linux-x64.tar.gz
7c283885947a563fd956d6b6146aa0ab243569dae20a912328afc3b7ca568596  pulumi-v3.25.0-linux-x64.tar.gz
https://github.com/pulumi/pulumi/runs/5312955548?check_suite_focus=true:
Copy code
7c283885947a563fd956d6b6146aa0ab243569dae20a912328afc3b7ca568596  pulumi-v3.25.0-linux-x64.tar.gz
a

adorable-gpu-98268

02/28/2022, 10:29 AM
This is what I get:
Copy code
~ % sha256sum pulumi-v3.25.0-linux-x64.tar.gz 
fded5fbde6f9f6eec598ce17b047d96536824dfc4dbba2028f48eba36a1a78f0  pulumi-v3.25.0-linux-x64.tar.gz
e

echoing-dinner-19531

02/28/2022, 10:32 AM
Interesting, let me test another machine
Can you raise an issue on our github about this, it all seems ok to my machines but maybe there's some location variation on how this is downloaded.
a

adorable-gpu-98268

02/28/2022, 10:35 AM
That’s the file that
curl -O "<https://get.pulumi.com/releases/sdk/pulumi-v3.25.0-linux-x64.tar.gz>"
downloads for me:
e

echoing-dinner-19531

02/28/2022, 10:38 AM
Yeh I'm not equipped to try and decipher potentially compromised files. Please raise an issue.
a

adorable-gpu-98268

02/28/2022, 10:49 AM
I’ll link to this thread here with the file in the github issue
e

echoing-dinner-19531

02/28/2022, 11:03 AM
Thanks, some more digging that checksum matches whats on github releases. Not sure how we've ended up with different files on releases vs get.pulumi.com
I'll post any further updates on the github issue.
a

adorable-gpu-98268

02/28/2022, 11:04 AM
Thanks, that looks like a good lead!
Strange thing is: I get different files based on downloading with
culr/wget
or
Safari
from this same url. The cmd tools give me the file that doesn’t match and the Safari download gives me the file that matches.
Any updates on this? I use the checksum to lock the pulumi version used in a build, so to upgrade to 3.25.0 I’d like to have checksums that match the binary.
e

echoing-dinner-19531

03/01/2022, 9:03 AM
Sorry, the release went out twice but it looks like between the first binaries being pushed and then the seconds ones being pushed and overwriting them someone hit the download link and populated the cloudfront cache in one location. I don't have write access to that aws account and I guess our ops team (in America) missed the thread yesterday, I'll give them a nudge and try to get that done this evening. You could download from github releases instead of get.pulumi.com for now if you need the checksums to match.
a

adorable-gpu-98268

03/01/2022, 9:11 AM
Thanks 👍 I’ll wait with the update until this is fixed.
m

miniature-musician-31262

03/01/2022, 7:19 PM
Hi there. We’ve cleared the cache on both
/releases/sdk/pulumi-3.25*
and
/releases/sdk/pulumi-v3.25.*
, so I believe this is fixed. Let us know if you’re still seeing otherwise, though.
2 Views