RPM checksums from the official repository and GitHub do not match

Browser Support Desktop Support
1

Description of the issue: RPM checksums from website and GitHub do not match
How can this issue be reproduced?

  1. Check the sha256 of the current RPM package at GitHub (https://github.com/brave/brave-browser/releases/download/v1.65.114/brave-browser-1.65.114-1.x86_64.rpm), which should be a2ea2a39e91453c24563cadf36ca7fb64352ec318040b9926a4e9e5ba7c21b50
  2. Download the RPM based on the instructions given at https://brave.com/linux/, except do “dnf download brave-browser”
  3. “sha256sum brave-browser-1.65.114-1.x86_64.rpm”, which results in ce13843cdab423f08fdf59ed6329050a272e60d7e817378e38cfad43af64acd6

Expected result: “sha256sum brave-browser-1.65.114-1.x86_64.rpm” for the package downloaded from the Brave repository should output a2ea2a39e91453c24563cadf36ca7fb64352ec318040b9926a4e9e5ba7c21b50, as the packages on GitHub and the official repository should be identical.

Brave Version( check About Brave): v1.65.114

Additional Information: It is concerning to me that the checksums of these two packages do not match. I trust Brave, but I need to understand why they don’t match before I install Brave on either of my computers.

2 Likes
2

Hello @justanotherfedora

i confirm that

let me tag @Mattches from the team so they fix it

and have a nice day both of you :slight_smile:

3

Thank you both for reporting — forwarding this information to Linux team now.

1 Like
4

Hello

just want to confirm that same thing happen with latest version 1.65.122

thanks again and have a nice day :slight_smile:

5

Hello again.

This issue is still present on 1.65.126.

Thanks for getting in contact with the Linux team. It’s concerning to me that there still seems to be some change between the rpm on Github and from the repo. I’d be curious whether or not this affects other packaging formats.

6

Sorry for the late reply here.

While Linux is not my strongest suit, it looks like its simply a matter of when the package is being signed — the signing itself is the difference while the packages are actually the same. The team has opened an issue to resolve this (the repo in which it was opened is private though so unfortunately I cannot share the link with you).

1 Like
7

just tested on ubuntu and it’s not affected by that

8

is there estimate on when they will fix it as for the latest version Version 1.65.132 still has the same issue

9

same issue for version v1.66.110

Edit

@justanotherfedora

just wanted to report that on version v1.66.115 fixed the issue

rpm repo has same sha256 with the rpm on the github page

thanks @Mattches and the whole team for fixing it

and have a nice day everyone :slight_smile:

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.