aqtinstall: Mirrors don't provide sha256

aqtinstall requires .sha256 hashes to verify Updates.xml and 7z archives.

Only https://download.qt.io/ provides .sha256, .sha1, .md5 and .meta4 files for every visible file. Mirrors provide only visible files, i.e. .sha1 for 7z archives which aren’t *meta.7z.

If https://download.qt.io/ is not available, it’s impossible to download any archive with aqtinstall.

There should be an option to use .sha1 and skip verification of Updates.xml.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 18 (12 by maintainers)

Most upvoted comments

Hi! Is it OK then if I propose a PR that adds one --insecure option which disables checksum verification?

+4
mardy on Nov 13, 2022

#684 merged. #730 allow build from git export, github’s zip download.

+1
miurahr on Nov 28, 2023

Reading all issue tickets related to the problem. But as i get it, there is no solution? It’s not possible to use aqtinstall, if https://download.qt.io/ is not available?

+1
regs01 on Jul 19, 2023

I’m not security expert but I don’t see a problem here. Even if attacker creates a hash collision, that “malicious” copy will contain a garbage, so no code can be injected that way? Just my 2 cents, sorry if I’m wrong.

No, the malicious copy may contain whatever code the attacker wants. It could be padded with garbage to make the hash come out right, but the padding would likely be hidden in a way that you would not see it.

You can search for hash collision generators on any search engine to find tools that allow you to do this; several are hosted on GitHub.

+1
ddalcino on Sep 24, 2022

Last night I tried to install qt 6.4.0 in CI, but the job failed because there’s no sha256 hashes for any of the files in that directory, on the download.qt.io server. Hopefully this is just a temporary situation, and they will upload the hashes later. However, there’s a very real possibility that the qt repo will stop uploading sha256 hashes for new versions. We don’t have any guarantees here.

In this case, caching sha256 hashes downloaded from download.qt.io will not work.

We may have no choice but to add an option to use one of the insecure hashes like md5/sha1 that appear to exist on both download.qt.io and the mirrors. I propose that we call it something like --insecure to discourage people from using it unless absolutely necessary, and to warn them about what they’re doing.

+1
ddalcino on Sep 15, 2022

Thanks for letting us know about the lack of sha256 hashes on the mirrors.

IMHO, we should be very careful about allowing aqt to use sha1 or md5 hashes in any way. It’s not hard for an attacker to create a .7z file with a hash collision with a legitimate sha1 or md5 hash; this is not true of sha256. If an attacker has control over any of our mirror sites, that attacker can convince aqt that their malicious copy of the .7z file is the real thing, and suddenly the attacker can get their code to run in your Qt program. This is a very big deal.

If you want to add the ability to use sha1, you will need to be able to prove without any doubt that there is no code path that uses sha1 by mistake. This feature will add attack surface to aqt that will need lots of developer attention.

+1
ddalcino on May 9, 2022
Read more comments on GitHub
← aqtinstall: MemoryError during decompression & Unable to read c:\Users\qt\work\install\mkspecs\qconfig.pri
aqtinstall: qt.qpa.plugin: Could not find the Qt platform plugin "cocoa" in "" →