Files integrity

[mkv-user1]

Hi,
has anyone noticed that hash checksum for both tar.gz files is different from checksums provided here:

https://www.makemkv.com/download/makemkv-sha-1.18.3.txt

installation files for windows and macos are OK

makemkv-bin-1.18.3.tar.gz - 3883ad40907f737d4dad5a846ec93d2327458da0f48b1090578d0f3afa34ee7e
makemkv-oss-1.18.3.tar.gz - 62b08895d3f439a7553b4874df5fa6e36b484c7d2c22404b6c3f2cae816c4383

is it just mistake and admin forget to update makemkv-sha-1.18.3.txt file or both files are compromised?

[tomty89]

is it just mistake and admin forget to update

No, unless the files were for reasons changed very recently without getting a version bump. The checksums in the txt are the same one in https://aur.archlinux.org/cgit/aur.git/ ... 6d7b178478. It has been building fine. Last time I built it was like a couple days ago.

both files are compromised

Maybe.

[Sayaka]

has anyone noticed that hash checksum for both tar.gz files is different from checksums provided here:

https://www.makemkv.com/download/makemkv-sha-1.18.3.txt

The checksums for v1.17.6 and v1.17.7 also appear to differ for Linux (once again, the checksums for Windows and macOS appear to match). I haven't tested the other versions yet.

[MrPenguin]

has anyone noticed that hash checksum for both tar.gz files is different from checksums provided here:
The checksums for v1.17.6 and v1.17.7 also appear to differ for Linux (once again, the checksums for Windows and macOS appear to match). I haven't tested the other versions yet.

Both .tar.gz files for Linux are correct, but mis-packaged. Do the following:

Code: Select all

$ wget https://www.makemkv.com/download/makemkv-bin-1.18.3.tar.gz
$ gunzip makemkv-bin-1.18.3.tar.gz
$ mv makemkv-bin-1.18.3.tar makemkv-bin-1.18.3.tgz
$ sha256sum makemkv-bin-1.18.3.tgz

and you should get:

Code: Select all

c1ee720ae91b276a7c89be861146c5b934631831e8d6c8f453406435724e92bd

And similarly for makemkv-oss-1.18.3.tar.gz, of course.

[tomty89]

It's still somewhat strange and suspicious (even though I know this "double-gzip'ing" issue has happend before), especially when it didn't happen when the version was first released but after such a long time.

[mkv-user1]

I agree with tomty89, are we really suppose to install on our desktops software with incorrect checksum? maybe it's mis-packge issue, maybe it's malware, who knows.
The whole point of file checksum is trust - if it match, it means that we have original installation file, if not - who knows what happen.
i mean, it's not uncommon, just recently notepad++, very trustworthy software was compromised, same thing happened to handbreak years ago.


we have forum admins, can they correct either linux packges or hash file on makemkv website?

[Sayaka]

Both .tar.gz files for Linux are correct, but mis-packaged. Do the following:

Code: Select all

$ wget https://www.makemkv.com/download/makemkv-bin-1.18.3.tar.gz
$ gunzip makemkv-bin-1.18.3.tar.gz
$ mv makemkv-bin-1.18.3.tar makemkv-bin-1.18.3.tgz
$ sha256sum makemkv-bin-1.18.3.tgz

and you should get:

Code: Select all

c1ee720ae91b276a7c89be861146c5b934631831e8d6c8f453406435724e92bd

And similarly for makemkv-oss-1.18.3.tar.gz, of course.

Apologies for being late, but thank you. I can confirm that the same is true for 1.17.6 and 1.17.7 as well.

The whole point of file checksum is trust - if it match, it means that we have original installation file, if not - who knows what happen.

Unless the .txt hash files themselves were somehow also tampered with (and wouldn't that be unlikely, with the PGP signature being correct ?), the odds that a malware-infected MakeMKV could somehow generate a valid SHA256 hash on an archive file, even a mispackaged one, are basically non-existent. See here : https://condensation.io/notes/hash-collisions/

[tomty89]

The problem with the situation here is not so much that MakeMKV might be tampered. Rather it is that the we have no idea what the "extra layer" might contain, e.g. something that trigger / leverage a loophole or so in gzip or tar. (Of course it is not very likely for it to be malicious or problematic, but it's not like we haven't seen something like a malicious gif either.)

[Sayaka]

The problem with the situation here is not so much that MakeMKV might be tampered. Rather it is that the we have no idea what the "extra layer" might contain, e.g. something that trigger / leverage a loophole or so in gzip or tar. (Of course it is not very likely for it to be malicious or problematic, but it's not like we haven't seen something like a malicious gif either.)

That's a good point.

Possible "ultimate paranoia" (I too am cautious when it comes to security) temporary workaround :

1) Boot a Linux OS into RAM with a USB drive.
2) Disable kernel access to all writable storage media except for USB drives. Now the live OS shouldn't have access to your SSDs and HDDs anymore. Or if you want to be 100% sure, there shouldn't be anything preventing you from physically removing your SSDs and HDDs before booting the live OS.
3) From the live OS, download MakeMKV for Linux. Unpack the archives with gunzip.
4) Copy these files onto another USB drive (it could even be the same USB drive, if you have a partition for them).
5) Verify the checksums of the "tar" files on the USB drive.
6) Because the checksums will likely be correct, you will know that MakeMKV wasn't tampered with.
7) Shut down your computer.
8 Reboot into your normal Linux OS. (Don't forget to put your SSDs and HDDs back where they belong beforehand if you removed them.)
9) Verify the checksums of the MakeMKV "tar" files on the USB drive again, just to make sure there wasn't some crazy tar/gzip malware that tampered with them when you gave your computer the order to shut down.
10) Finish fully unpacking the archives.
11) Install MakeMKV.

Inconvenient, but that would work, yes?