Only using sha256 checksum check

Question

Only using sha256 checksum check

doctordesh opened this issue 9 years ago · 5 comments

In go 1.5.3 Golang changed their checksum function from SHA1 to SHA256.
The script only makes a sha256-check, which makes it impossible to install earlier versions of go, since their checksums will never match.

Answer 1 · 2016-02-04T07:39:16.000Z

This checksum is verifying the integrity of the Go archive before it is decompressed, and it is unrelated to Go's internal checksum function. You can install any version of Go as long as you provide the right checksum for the archive. Here is an example of an old commit that shows a working checksum for Go version 1.2.1.

Answer 2 · 2016-02-04T07:40:18.000Z

So I have to manually produce my checksum?

Answer 3 · 2016-02-04T07:46:56.000Z

Oh, I see what you mean now. Yeah, you can download the archive for the version you would like to install and use sha256sum to calculate the checksum.

Answer 4 · 2016-02-04T07:50:42.000Z

Good.
But wouldn't it be easier if you could use the checksums that the Golang website provides? Would take away one step from the setup. You don't have to download and you don't have to make sha256(go.1.5.3.tar.gz) and paste it into your config.

That would work if the task Download the Go tarball could use both sha1 and sha256, right? Might be overkill though, just a thought.

Answer 5 · 2016-03-18T23:05:37.000Z

@doctordesh This is possible now. Specifying the following variables will set up Go 1.5.2 (which is the last version on the official website that is listed using SHA1 checksums):

---
go_tarball: "go1.5.2.linux-amd64.tar.gz"
go_tarball_checksum: "sha1:cae87ed095e8d94a81871281d35da7829bd1234e"
go_version_target: "go version go1.5.2 linux/amd64"

It also brings the checksum syntax up-to-date for Ansible 2.0.1.0.