This is a really weird bug that is happening on Ubuntu 20.04 LTS (Live ISO!!!) and Kali 2020.2, but not Debian 10 (so, it affects at least apt 2.0.2ubuntu0.1 and does not affect 1.8.2.1). It also only occurs on a single PC (as far as I know). All testing was done in Virtualbox and moving VM's to another PC fixed issue (without changing anything inside the VM).
On running "apt update", there is an error "Hash Sum mismatch" which shows that SHA1 and SHA256 hashes differ from expected (while MD5 and file size is correct). E.g.:
Hash Sum mismatch
Hashes of expected file:
- Filesize:314536 [weak]
- SHA256:aa1c6c96b09a0c695dc475d99b407c675e564fbfe51b3e26230c6320b45666d0
- SHA1:4f438d7e0c78dfb0486f86dc0a3dba30575eb617 [weak]
- MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
Hashes of received file:
- SHA256:f47a968e7a10aff91df8b1d3f682ce11d161ff1b17056268b9ae1c10447523b2
- SHA1:2839e062232ed234d0c04e60fe6b2a687c950e5b [weak]
- MD5Sum:5269212c54feb3dceabadb66583f6778 [weak]
- Filesize:314536 [weak]
I ran packet capture and extracted archives which are getting verified. All of their hashes are correct (exactly as expected).
It seems that calculating SHA1 and SHA256 the way APT does it produces wrong result, while running command line tools sha1sum and sha256sum (on the same PC inside the same VM) produces correct result.
I wrote the minimal reproducible example (hashtest.cc) that produces output such as this:
It's in the attachment alongside with an example file that causes this hash mismatch. There's also debug.log which contains various versions, etc (although as I said, it has been verified on latest Ubuntu Live ISO).
I have a suspicion that the bug is in the gcrypt library, not apt itself, but I haven't yet verified it. The libgcrypt20 version in Ubuntu is 1.8.5-5ubuntu1 (in Kali as well), while Debian 10 (which isn't affected) uses 1.8.4-5.
This is a really weird bug that is happening on Ubuntu 20.04 LTS (Live ISO!!!) and Kali 2020.2, but not Debian 10 (so, it affects at least apt 2.0.2ubuntu0.1 and does not affect 1.8.2.1). It also only occurs on a single PC (as far as I know). All testing was done in Virtualbox and moving VM's to another PC fixed issue (without changing anything inside the VM).
On running "apt update", there is an error "Hash Sum mismatch" which shows that SHA1 and SHA256 hashes differ from expected (while MD5 and file size is correct). E.g.:
Hash Sum mismatch aa1c6c96b09a0c6 95dc475d99b407c 675e564fbfe51b3 e26230c6320b456 66d0 78dfb0486f86dc0 a3dba30575eb617 [weak] 5269212c54feb3d ceabadb66583f67 78 [weak] f47a968e7a10aff 91df8b1d3f682ce 11d161ff1b17056 268b9ae1c104475 23b2 2ed234d0c04e60f e6b2a687c950e5b [weak] 5269212c54feb3d ceabadb66583f67 78 [weak]
Hashes of expected file:
- Filesize:314536 [weak]
- SHA256:
- SHA1:4f438d7e0c
- MD5Sum:
Hashes of received file:
- SHA256:
- SHA1:2839e06223
- MD5Sum:
- Filesize:314536 [weak]
I ran packet capture and extracted archives which are getting verified. All of their hashes are correct (exactly as expected).
It seems that calculating SHA1 and SHA256 the way APT does it produces wrong result, while running command line tools sha1sum and sha256sum (on the same PC inside the same VM) produces correct result.
I wrote the minimal reproducible example (hashtest.cc) that produces output such as this:
Calculating hashes same way apt does.
- MD5Sum: c89b13b76197d0d 554400e00e46c07 40 e69a1f503401daa 02b520f1b0e22ba 9075301b3961aca 23b69bf2868a18d ca184b383a0ec1d e35516f0a8a182c 2cb6 7506f6f5c5d5e97 f8c6ecac2489e7d 6260002bd530370 c6193a04620f942 85dca0f5cf2bb9e ad40afbd72fdf3a 239349a57f81165 b5b857af6ad7dde ab8da036 FileSize: 892549
- SHA1:f6901a4486
- SHA256:
- SHA512:
- Checksum-
Calculating hashes through command line tools.
- md5sum: c89b13b76197d0d 554400e00e46c07 40 f503401daa02b52 0f1b0e22ba 23b69bf2868a18d ca184b383a0ec1d e35516f0a8a182c 2cb6 f8c6ecac2489e7d 6260002bd530370 c6193a04620f942 85dca0f5cf2bb9e ad40afbd72fdf3a 239349a57f81165 b5b857af6ad7dde ab8da036
- sha1sum: f6901a4486e69a1
- sha256sum: 9075301b3961aca
- sha512sum: 7506f6f5c5d5e97
It's in the attachment alongside with an example file that causes this hash mismatch. There's also debug.log which contains various versions, etc (although as I said, it has been verified on latest Ubuntu Live ISO).
I have a suspicion that the bug is in the gcrypt library, not apt itself, but I haven't yet verified it. The libgcrypt20 version in Ubuntu is 1.8.5-5ubuntu1 (in Kali as well), while Debian 10 (which isn't affected) uses 1.8.4-5.