On Thu, Feb 01, 2024 at 03:02:50PM +0100, Gilles Peskine wrote:
Date: Thu, 1 Feb 2024 15:02:50 +0100 From: Gilles Peskine gilles.peskine@arm.com To: Wojtek Porczyk woju@invisiblethingslab.com, mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] SHA-256 mismatch for mbedtls-3.5.2.tar.gz User-Agent: Mozilla Thunderbird
Hello,
GitHub offers two downloads: mbedtls-${version}.tar.gz and v${version}.tar.gz. (That's because GitHub releases have to have a tag called v${version}, and in addition there's the tag naming scheme we normally use which is mbedtls-${version}.) They're identical apart from the directory name. It looks like we mixed up the checksums in the release announcements: they're the checksums of the v files but we give the names of the mbedtls- files. Sorry for the confusion, I'll go and fix the release announcements.
Thanks for clarification. For the record, I was able to reproduce both of those archives directly from repo checkout:
% git co v3.5.2 Previous HEAD position was [...] HEAD is now at daca7a3979c2 Update BRANCHES.md % git head commit daca7a3979c22da155ec9dce49ab1abf3b65d3a9 (HEAD, tag: v3.5.2, tag: mbedtls-3.5.2, origin/master) Author: Dave Rodgman dave.rodgman@arm.com Date: Wed Jan 24 09:49:11 2024 +0000
Update BRANCHES.md
Signed-off-by: Dave Rodgman dave.rodgman@arm.com % git archive --format=tar.gz --prefix mbedtls-mbedtls-3.5.2/ HEAD | sha256sum - eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 - % git archive --format=tar.gz --prefix mbedtls-3.5.2/ HEAD | sha256sum - 35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 -
(note --prefix). So it's false alarm.