Files integrity

[mkv-user1]

Hi,
has anyone noticed that hash checksum for both tar.gz files is different from checksums provided here:

https://www.makemkv.com/download/makemkv-sha-1.18.3.txt

installation files for windows and macos are OK

makemkv-bin-1.18.3.tar.gz - 3883ad40907f737d4dad5a846ec93d2327458da0f48b1090578d0f3afa34ee7e
makemkv-oss-1.18.3.tar.gz - 62b08895d3f439a7553b4874df5fa6e36b484c7d2c22404b6c3f2cae816c4383

is it just mistake and admin forget to update makemkv-sha-1.18.3.txt file or both files are compromised?

[tomty89]

is it just mistake and admin forget to update

No, unless the files were for reasons changed very recently without getting a version bump. The checksums in the txt are the same one in https://aur.archlinux.org/cgit/aur.git/ ... 6d7b178478. It has been building fine. Last time I built it was like a couple days ago.

both files are compromised

Maybe.

[Sayaka]

has anyone noticed that hash checksum for both tar.gz files is different from checksums provided here:

https://www.makemkv.com/download/makemkv-sha-1.18.3.txt

The checksums for v1.17.6 and v1.17.7 also appear to differ for Linux (once again, the checksums for Windows and macOS appear to match). I haven't tested the other versions yet.

[MrPenguin]

has anyone noticed that hash checksum for both tar.gz files is different from checksums provided here:
The checksums for v1.17.6 and v1.17.7 also appear to differ for Linux (once again, the checksums for Windows and macOS appear to match). I haven't tested the other versions yet.

Both .tar.gz files for Linux are correct, but mis-packaged. Do the following:

Code: Select all

$ wget https://www.makemkv.com/download/makemkv-bin-1.18.3.tar.gz
$ gunzip makemkv-bin-1.18.3.tar.gz
$ mv makemkv-bin-1.18.3.tar makemkv-bin-1.18.3.tgz
$ sha256sum makemkv-bin-1.18.3.tgz

and you should get:

Code: Select all

c1ee720ae91b276a7c89be861146c5b934631831e8d6c8f453406435724e92bd

And similarly for makemkv-oss-1.18.3.tar.gz, of course.

[tomty89]

It's still somewhat strange and suspicious (even though I know this "double-gzip'ing" issue has happend before), especially when it didn't happen when the version was first released but after such a long time.

[mkv-user1]

I agree with tomty89, are we really suppose to install on our desktops software with incorrect checksum? maybe it's mis-packge issue, maybe it's malware, who knows.
The whole point of file checksum is trust - if it match, it means that we have original installation file, if not - who knows what happen.
i mean, it's not uncommon, just recently notepad++, very trustworthy software was compromised, same thing happened to handbreak years ago.


we have forum admins, can they correct either linux packges or hash file on makemkv website?

[Sayaka]

Both .tar.gz files for Linux are correct, but mis-packaged. Do the following:

Code: Select all

$ wget https://www.makemkv.com/download/makemkv-bin-1.18.3.tar.gz
$ gunzip makemkv-bin-1.18.3.tar.gz
$ mv makemkv-bin-1.18.3.tar makemkv-bin-1.18.3.tgz
$ sha256sum makemkv-bin-1.18.3.tgz

and you should get:

Code: Select all

c1ee720ae91b276a7c89be861146c5b934631831e8d6c8f453406435724e92bd

And similarly for makemkv-oss-1.18.3.tar.gz, of course.

Apologies for being late, but thank you. I can confirm that the same is true for 1.17.6 and 1.17.7 as well.

The whole point of file checksum is trust - if it match, it means that we have original installation file, if not - who knows what happen.

Unless the .txt hash files themselves were somehow also tampered with (and wouldn't that be unlikely, with the PGP signature being correct ?), the odds that a malware-infected MakeMKV could somehow generate a valid SHA-256 hash on an archive file, even a mispackaged one, are basically non-existent. See here : https://condensation.io/notes/hash-collisions/