[SRU] hash mismatch or wrong accept-license key trying to install virtualbox-ext-pack 5.2.10

Bug #1767402 reported by Jonathan Kamens on 2018-04-27
680
This bug affects 214 people
Affects Status Importance Assigned to Milestone
virtualbox-ext-pack (Ubuntu)
Critical
Gianfranco Costamagna
Bionic
Critical
Gianfranco Costamagna

Bug Description

[Impact]
* Upgrades from xenial/artful to bionic

[Test Case]
* Installation fails because upstream changed the hash of the file

[Regression Potential]
* None.

[Other info]
The file will be downloaded into /usr/share/virtualbox-ext-pack
Hash mismatch Oracle_VM_VirtualBox_Extension_Pack-5.2.10.vbox-extpack: expected 8c31bc1d0337e6668e0d9140defc6deaf265087f855783dd09b873a064a70703, or wrong accept-license key
dpkg: error processing package virtualbox-ext-pack (--configure):
 installed virtualbox-ext-pack package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 virtualbox-ext-pack
E: Sub-process /usr/bin/dpkg returned an error code (1)

I encountered this on an attempt to install the package when it was previously uninstalled.

Then I went to a different machine where it was previously installed successfully and ran dpkg-reconfigure on it. I was prompted to accept the license agreement, but then it, too, failed with the same error.

Both of these machines were upgraded from 17.10 (artful) to 18.04 (bionic) today.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: virtualbox-ext-pack 5.2.10-3
ProcVersionSignature: Ubuntu 4.13.0-39.44-generic 4.13.16
Uname: Linux 4.13.0-39-generic x86_64
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Apr 27 11:08:37 2018
InstallationDate: Installed on 2016-08-09 (625 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
PackageArchitecture: all
SourcePackage: virtualbox-ext-pack
UpgradeStatus: Upgraded to bionic on 2018-04-27 (0 days ago)

Jonathan Kamens (jik) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox-ext-pack (Ubuntu):
status: New → Confirmed

As a workaround I manually downloaded the ext-pack here: https://download.virtualbox.org/virtualbox/5.2.10/Oracle_VM_VirtualBox_Extension_Pack-5.2.10.vbox-extpack
and then in VirtualBox:
File -> Preferences -> Extensions -> Adds new package ("+" Button)

Duplicate bug report with more information in https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1767533.

Changed in virtualbox-ext-pack (Ubuntu):
assignee: nobody → LocutusOfBorg (costamagnagianfranco)
importance: Undecided → Critical
nils (internationils) wrote :

From https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1767533 this seems to be a fairly simple fix:

"...Downloading the older 122088 release I was able to verify this one produces the sha256 checksum named above.
Most probably the "file" named Oracle_VM_VirtualBox_Extension_Pack-5.2.10.vbox-extpack is just a symlink that Oracle changed from the older 122088 version to point the newer 122406 version.

Which would mean the variable hash on line 5 of the postinst script would have to be updated to the checksum of the newer version as well."

Could someone please apply this (if correct)? Vbox not installing stops VMs from working...

nils (internationils) wrote :

I can confirm that the workaround in comment #3 https://bugs.launchpad.net/ubuntu/+source/virtualbox-ext-pack/+bug/1767402/comments/3 works...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-ext-pack - 5.2.10-4

---------------
virtualbox-ext-pack (5.2.10-4) unstable; urgency=high

  * Fix hash due to upstream change. (Closes: #897052, LP: #1767533,
    LP: #1767402)

 -- Gianfranco Costamagna <email address hidden> Sat, 28 Apr 2018 12:47:11 +0200

Changed in virtualbox-ext-pack (Ubuntu):
status: Confirmed → Fix Released

When will be this package available in the bionic reository?

oleoleole (ole-gidderikke) wrote :

If you're in a hurry, you can use the package from "cosmic":

- Download: https://packages.ubuntu.com/cosmic/all/virtualbox-ext-pack/download

- Install it by "sudo dpkg -i virtualbox-ext-pack_5.2.10-4_all.deb"

zebul666 (zebul666) wrote :

As i sais on duplicated bug, you could simply change the hash to the correct one in the postinst file of the package.

This is a sha256sum.

Thank you very much! :)

Hi, thanks for the solution. How do I edit the "postinst file of the package"?

zebul666 (zebul666) wrote :

You could find the postinst file in /var. Look at the package content with dpkg -L to know its exact location.

No need to repack.

zebul666 (zebul666) wrote :

Sorry. I wrote that quickly. In fact it's not how I find the file. just a

find /var|grep postinst|grep virtualbox

and the file is

/var/lib/dpkg/info/virtualbox-ext-pack.postinst

great! thank you @zebul666

Johannes Petersson (johpe) wrote :

After doing this I still get:
Hash mismatch Oracle_VM_VirtualBox_Extension_Pack-5.2.10.vbox-extpack: expected 5eef217dbe0a8e8caf383ea8db83344517af0f9093
41b5345c8468a427b327b3, or wrong accept-license key
dpkg: error processing package virtualbox-ext-pack (--configure):
 installed virtualbox-ext-pack package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 virtualbox-ext-pack

What am I missing?

zebul666 (zebul666) wrote :

omg. where did you find that sha256sum ? it's wrong !

the correct one is 5eef217dbe0a8e8caf383ea8db83344517af0f9093041b5345c8468a427b327b

Wolf Rogner (war-rsb) wrote :

Are we serious about this?

This bug affects a lot of users (see list on the right and probably thousands more).
Messing around in packages with hashes is nontrivial, repackaging either.
This is an official repository that should provide solid, proven and stable packages.

And we want users to fiddle around?

You can't be serious.

HERE IS A MUCH MORE USER-FRIENDLY WORKAROUND:

Go to virtualbox.org
Download Extensions
In VB/Preferences, load the original file
Wait for this package to get fixed properly

Peter Smith (pdo.smith) wrote :

Wolf, thanks for that comment. That is the sensible thing to do and I have just done that.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox-ext-pack (Ubuntu Bionic):
status: New → Confirmed

I subscribed release team, the fix is already in the new queue since some days

summary: - hash mismatch or wrong accept-license key trying to install virtualbox-
- ext-pack 5.2.10
+ [SRU] hash mismatch or wrong accept-license key trying to install
+ virtualbox-ext-pack 5.2.10
description: updated
Changed in virtualbox-ext-pack (Ubuntu Bionic):
importance: Undecided → Critical
assignee: nobody → LocutusOfBorg (costamagnagianfranco)
status: Confirmed → In Progress

Hello Jonathan, or anyone else affected,

Accepted virtualbox-ext-pack into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-ext-pack/5.2.10-3ubuntu18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in virtualbox-ext-pack (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Hadmut Danisch (hadmut) wrote :

BTW: How do you verify that the hash sum is the correct one?

If you just download the file from somewhere in the internet and take that hash sum to verify the same file, it's not of much use, from a security point of view. It just proofs that it is the very same file again, but not, that it is the original file. Smells a little bit like snakeoil security.

>BTW: How do you verify that the hash sum is the correct one?
>If you just download the file from somewhere in the internet and take that hash sum to verify the >same file, it's not of much use, from a security point of view. It just proofs that it is the very >same file again, but not, that it is the original file. Smells a little bit like snakeoil security.

I take the hashes from the https secured upstream download repository, and verify them with md5 sha256 after downloading in https the ext-pack itself.

the hash validated by me, is then hard-coded in the postinst file, and signed with my personal GPG key, so it is not tamperable anymore.
you can see hashes by yourself if you want.
https://download.virtualbox.org/virtualbox/5.2.10

G.

I confirm the fix in bionic.
Virtualbox starts correctly and the ext pack is installed.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Hadmut Danisch (hadmut) wrote :

But then the hashsum check does not provide significantly more security than just downloading the file via https.

Andy Whitcroft (apw) wrote :

As what is in the archive is utterly uninstallable and the change is a simple textual replacement of the checksum therein it seems reasonable to wave the 7 day waiting period for this now it is verified. Note that this is cratering upgraders and we just started recommending same.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-ext-pack - 5.2.10-3ubuntu18.04.1

---------------
virtualbox-ext-pack (5.2.10-3ubuntu18.04.1) bionic; urgency=high

  * Fix hash due to upstream change. (Closes: #897052, LP: #1767533,
    LP: #1767402)

 -- Gianfranco Costamagna <email address hidden> Sat, 28 Apr 2018 12:47:11 +0200

Changed in virtualbox-ext-pack (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for virtualbox-ext-pack has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Wolf Rogner (war-rsb) wrote :

This is what just happened:

package virtualbox-ext-pack (not installed) failed to install/upgrade: installed virtualbox-ext-pack package post-installation script subprocess returned error exit status 1

Does not seem fixed to me.

@wolf, please provide a log, with versions and the command you tried, thanks

>But then the hashsum check does not provide significantly more security
>than just downloading the file via https.

Hadmut, https doesn't mean connection secure, because we can't generally trust the server PKI, and that link used to be in http only since some months ago. A double check of the hash doesn't hurt.
I might consider removing it if I feel comfortable, but right now with all the sslstrip and ettercap plugins around, this might make security worse.

Wolf Rogner (war-rsb) wrote :

I simply reinstalled with apt install virtualbox-ext-pack

After checking the history.log, I figured that the repo does not have the corrected version yet (I use the master repo).

I will retry in a few days.

it should be already good now, if you do an apt-get update :)
when you posted it was waiting a dinstall+publish time

Mike (mikebw) wrote :

Fixed for me as of virtualbox-ext-pack (5.2.10-3ubuntu18.04.1).

I had previously de-installed the package and re-installed the latest version cleanly. I was prompted to accepted the license.

Luca Zulberti (luca-zulberti) wrote :

Fixed for me too, like Mike.

@wolf the Italian server does not have the correct package yet (a hour ago), I had to set the original one to install the new package. Maybe this could be the problem that apply to your situation.

Bernd Späth (bspaeth) wrote :

Package: virtualbox-ext-pack
Version: 5.2.10-3ubuntu18.04.1

Fixed the problem for me as well.
Thanks a lot.

Mike Loeffler (mtl010957) wrote :

Fixed for me with package virtualbox-ext-pack 5.2.10-3ubuntu18.04.1 from bionic-proposed

Wolf Rogner (war-rsb) wrote :

It works with version
virtualbox-ext-pack:amd64 (5.2.10-3ubuntu18.04.1)

Thanks

Robin Kirchner (lootbox) wrote :

How can you remove the extension pack entirely? Trying "apt-get purge virtualbox-ext-pack" or remove gives an error.

"gives an error" is something really helpful to debug the issue! :)

Sundar (sundar-ima) wrote :

The topic is not the relevant one here. But the issue is same. I am unable to install, remove or upgrade the virtualbox-ext-pack. This also affects the normal upgrade process if this package need to be upgraded between other packages. This lead to partial install of newer Linux image and rendered the OS non bootable. Here is the output text from terminal:-

$ sudo apt remove virtualbox-ext-pack
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  virtualbox-ext-pack
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 128 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 541278 files and directories currently installed.)
Removing virtualbox-ext-pack (5.2.10-3) ...
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully uninstalled "Oracle VM VirtualBox Extension Pack".
VBoxManage: error: The installer failed with exit code 1: VBoxExtPackHelperApp: error: Failed open the base directory: VERR_FILE_NOT_FOUND ('/usr/lib/virtualbox/ExtensionPacks')
VBoxManage: error: rcExit=1
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ExtPackManagerWrap, interface IExtPackManager, callee nsISupports
VBoxManage: error: Context: "Cleanup()" at line 1261 of file VBoxManageMisc.cpp
dpkg: error processing package virtualbox-ext-pack (--remove):
 installed virtualbox-ext-pack package pre-removal script subprocess returned error exit status 1
Errors were encountered while processing:
 virtualbox-ext-pack
E: Sub-process /usr/bin/dpkg returned an error code (1)

Sundar (sundar-ima) wrote :

Here is the output of error message received during upgrade:-

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  virtualbox-ext-pack
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.1 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://in.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 virtualbox-ext-pack all 5.2.10-3ubuntu18.04.1 [10.1 kB]
Fetched 10.1 kB in 1s (7,178 B/s)
Preconfiguring packages ...
(Reading database ... 541279 files and directories currently installed.)
Preparing to unpack .../virtualbox-ext-pack_5.2.10-3ubuntu18.04.1_all.deb ...
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully uninstalled "Oracle VM VirtualBox Extension Pack".
VBoxManage: error: The installer failed with exit code 1: VBoxExtPackHelperApp: error: Failed open the base directory: VERR_FILE_NOT_FOUND ('/usr/lib/virtualbox/ExtensionPacks')
VBoxManage: error: rcExit=1
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ExtPackManagerWrap, interface IExtPackManager, callee nsISupports
VBoxManage: error: Context: "Cleanup()" at line 1261 of file VBoxManageMisc.cpp
dpkg: warning: old virtualbox-ext-pack package pre-removal script subprocess returned error exit status 1
dpkg: trying script from the new package instead ...
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully uninstalled "Oracle VM VirtualBox Extension Pack".
VBoxManage: error: The installer failed with exit code 1: VBoxExtPackHelperApp: error: Failed open the base directory: VERR_FILE_NOT_FOUND ('/usr/lib/virtualbox/ExtensionPacks')
VBoxManage: error: rcExit=1
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ExtPackManagerWrap, interface IExtPackManager, callee nsISupports
VBoxManage: error: Context: "Cleanup()" at line 1261 of file VBoxManageMisc.cpp
dpkg: error processing archive /var/cache/apt/archives/virtualbox-ext-pack_5.2.10-3ubuntu18.04.1_all.deb (--unpack):
 new virtualbox-ext-pack package pre-removal script subprocess returned error exit status 1
Errors were encountered while processing:
 /var/cache/apt/archives/virtualbox-ext-pack_5.2.10-3ubuntu18.04.1_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Sundar (sundar-ima) wrote :

I have solved the issue manually. No help from update and upgrade. This is how solved it:-

1. Download the official oracle ext package from here https://download.virtualbox.org/virtualbox/5.2.10/Oracle_VM_VirtualBox_Extension_Pack-5.2.10.vbox-extpack and choose to open with Virtual box.

2. After successful installation of above extension package, removed the virtualbox-ext-pack package with "sudo apt remove virtualbox-ext-pack" command. See the output here:-
$ sudo apt remove virtualbox-ext-pack
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  virtualbox-ext-pack
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 128 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 541278 files and directories currently installed.)
Removing virtualbox-ext-pack (5.2.10-3) ...
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully uninstalled "Oracle VM VirtualBox Extension Pack".
Successfully performed extension pack cleanup

Relieved of worries now. :-)

Jonathan Kamens (jik) wrote :

>The topic is not the relevant one here...

Which means that you should open a new bug, not append irrelevant comments to this bug.

Sundar (sundar-ima) wrote :

> Which means that you should open a new bug, not append irrelevant comments to this bug.

Yes. I tried to post it to similar bug report. However, it was already mentioned that this is a duplicate bug of 1767402 (this one). So I have to come over here and posted. That's all. If you feel that I am trolling here, you have all rights to remove my bug report or posts.

Jonathan Kamens (jik) wrote :

*sigh*

You are missing the point.

>I tried to post it to similar bug report.

No. This is entirely the wrong thing to do.

If you are posting about a new issue, you create a new bug report. You don't post about your issue in a "similar bug report." That's not how bug reporting is supposed to work.

If it's a different bug, it needs to be tracked as a different bug report, not as a comment on an existing bug report.

No one is going to work on or fix your issue if you post it as a comment on an existing bug report about a different issue. Do you understand? It will be ignored. It will never get fixed. The fact that you commented will not be in any way helpful to you or anyone else. If you want to actually accomplish something useful, then when you discover a new bug, you need to report it in a new bug report. it's that simple.

Even when you're not sure it's a new bug, if it _might be_ a new issue, you should report it in a new bug report. The maintainer of the package can always mark it as a duplicate.

>If you feel that I am trolling here, you have all rights to remove my bug report or posts.

1) I don't have the authority to remove your comments, I'm just another user here.

2) In fact, it is extremely rare for anyone to ever remove comments from a bug report here or on any of the various bug-tracking platforms, because that destroys audit trails. It would only be done if there were an extremely serious confidentiality or security issue raised by the presence of a comment.

3) When you post a comment on a bug report, all the other people who have participated in that bug report get email about it. These emails can't be "removed" or "taken back" once they are sent. In other words, when you post a comment that is not actually about the bug you post it on, you cause useless email that the recipients don't care about to a bunch of people. That's rude an obnoxious. Please don't do it again.

Sundar (sundar-ima) wrote :

@Jonathan Kamens

Roger that.

@Sundar, if you open a new bug please tell me the number so I can track and hopefully look/triage/report upstream/solve it!
thanks

Hello Jonathan, or anyone else affected,

Accepted virtualbox-ext-pack into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-ext-pack/5.2.18-1~ubuntu18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in virtualbox-ext-pack (Ubuntu Bionic):
status: Fix Released → Fix Committed
tags: added: verification-needed verification-needed-bionic
removed: verification-done verification-done-bionic

ehm the "5.2.18" is not really fixing this bug, just the changelog entry from debian had reference for it :)
anyway, working too, the hash is correct, so setting back to "verification-done"

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
To post a comment you must log in.