yq: `rhash` is failing verification on the new release

Describe the bug

I have a tool that pulls the YQ version and checks it’s rhash value for correctness… for some reason the latest one is failing (the order of the hashes is incorrect on my machine)

to test locally:

docker run --rm -it debian
apt update && apt install curl jq rhash -y
YQ_URL="https://api.github.com/repos/mikefarah/yq/releases/latest"
curl -sSLf -O $(curl -sSLf ${YQ_URL} -o - | jq -r '.assets[] | select(.name|test("linux_amd64$")) | .browser_download_url')
curl -sSLf $(curl -sSLf ${YQ_URL} -o - | jq -r '.assets[] | select(.name|test("checksums$")) | .browser_download_url') -o checksums
rhash -a -c <( grep '^yq_linux_amd64 ' checksums )

--( Verifying XXX )------------------------------------------------------
yq_linux_amd64                                      ERR
--------------------------------------------------------------------------------
Errors Occurred: Errors:1   Miss:0   Success:0   Total:1

Additional context I tried to compare the versions and found there were 10 checksums that were in the “incorrect” location. I also checked with upstream rhash and that didn’t solve the issue

please let me know if there is additional info missing

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

I don’t like this. It feels like the equivalent of curl | bash… I have to run an unverified script in order to extract a checksum to verify the signature.

+1
sigwinch28 on Dec 7, 2022

The script is now available in 4.16.2

+1
mikefarah on Dec 21, 2021

So basically to validate you’d:

./extract-checksum.sh SHA-256 yq_linux_amd64.tar.gz | rhash -c -
+1
mikefarah on Dec 10, 2021
Read more comments on GitHub
← yq: Converting YAML to JSON is super slow
yq: "Working with XML" documentation example does not work for version 4.17.2 →