Missing SHA Checksums For Aarch64 Adoptium Binaries

by SLV Team 52 views

Hey everyone! 👋 We've got a bit of a snag. It looks like the SHA checksum files are missing for some of the aarch64 (ARM64) binaries in the latest Adoptium releases. This is a problem because these checksums are super important for verifying the integrity of the downloaded files. Without them, we can't be 100% sure that the binaries haven't been corrupted or tampered with during the download process. Let's dive into the details, figure out what's going on, and explore potential solutions. This guide is designed to help you understand the issue and provide potential workarounds.

The Problem: Missing Checksums for aarch64 Binaries

So, what's the deal? We're seeing 404 errors when trying to fetch the checksum files for the aarch64 architectures. Specifically, the issue affects releases like those found at the following URLs (as examples):

  • https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.17+10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.17_10.tar.gz.sha256.txt
  • https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.9+10/OpenJDK21U-jre_aarch64_alpine-linux_hotspot_21.0.9_10.tar.gz.sha256.txt

These links are supposed to provide the SHA-256 checksums for the corresponding binary files. The checksums act like digital fingerprints, ensuring that the downloaded file matches the original. The absence of these checksum files is a cause for concern because it prevents users from verifying the downloaded binaries' integrity. This situation makes it more difficult to trust the downloaded files. It might not be possible to be sure that the downloaded binaries have not been altered in some way without the checksums.

When you try to access these links, you'll encounter a 404 error, which means the file isn't found on the server. This is a bummer because verifying the integrity of downloaded files is a crucial security practice. The absence of these checksum files could be a result of a build process error, a deployment issue, or simply an oversight. Whatever the cause, it's preventing users from performing the important security checks they need.

Imagine you are downloading the file for installation, this will cause the installation process to fail and you will not be able to continue until you either find the checksum or the issue is resolved on the release side. Without checksums, you are essentially trusting the download process blindly, which isn't ideal, especially when dealing with software that will be running on your systems. Users rely on these checksums to ensure the integrity and security of the binaries they download, so their absence creates a significant hurdle for anyone using these Adoptium releases on aarch64 platforms.

This lack of availability impacts anyone who needs to verify the integrity of the downloaded Adoptium binaries for aarch64 architectures. The missing checksums make it impossible to guarantee that the downloaded files haven't been tampered with or corrupted during the download. It is a problem that affects all users who are downloading and installing these binaries.

Reproducing the Issue: Steps to Verify

Want to see the problem for yourself? Here's how to reproduce the issue:

  1. Try to fetch the checksum file: Attempt to access one of the missing checksum files, such as https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.17+10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.17_10.tar.gz.sha256.txt. You can use a web browser, curl, or wget to do this.
  2. Observe the result: You should get a 404 error, indicating that the file is not found on the server.

By following these steps, you can directly confirm the problem. This helps to understand the scope and impact of the issue. This verification is a straightforward way to see the problem and understand the implications.

Expected vs. Actual Results: What Should Happen and What's Happening

Expected Results

When you request the .sha256.txt file, you should get a file containing the SHA-256 checksum of the corresponding binary. This checksum is a long string of characters that represents a unique identifier for the binary file. You would use this checksum to confirm that the downloaded binary is indeed the correct and unaltered version.

This checksum would allow users to verify the integrity of the downloaded binary. For example, if you downloaded OpenJDK17U-jre_aarch64_linux_hotspot_17.0.17_10.tar.gz, you would expect to find the matching checksum in OpenJDK17U-jre_aarch64_linux_hotspot_17.0.17_10.tar.gz.sha256.txt. This process provides a way to validate that the downloaded file is the genuine one and hasn't been corrupted during transfer.

Actual Results

Instead of getting the checksum, you're getting a 404 error. This means the file isn't found. This prevents users from verifying the integrity of the downloaded binary and creates a security risk because you cannot confirm that the downloaded files have not been modified during the download.

The missing checksum files mean that users cannot readily verify the integrity of the downloaded binaries. Without the checksum, you can't be certain that the file you downloaded is the original, untampered version. It introduces a potential security vulnerability, and makes it harder to trust the downloads.

Impact and Troubleshooting

The absence of the checksum files can impact anyone using these Adoptium releases on aarch64 platforms. This is particularly problematic for users who rely on checksums for security or compliance reasons. The missing checksums make it impossible to guarantee that the downloaded files haven't been tampered with or corrupted during the download.

Potential Causes

  • Build Process Error: There might be an issue in the build process that prevents the checksum files from being generated or included in the release. The build process is responsible for creating these files, and any error here would lead to missing checksums.
  • Deployment Issue: There could be a problem during the deployment of the release, where the checksum files are not correctly uploaded to the server.
  • Oversight: It's possible that the checksum files were simply omitted during the release process.

Troubleshooting Steps

  1. Verify the URL: Double-check the URL to ensure it is correct. Typos can sometimes lead to 404 errors.
  2. Check Other Architectures: See if checksum files are available for other architectures (e.g., x64) in the same release. This can help determine if the issue is specific to aarch64.
  3. Check Previous Releases: Check if the checksum files are available in the earlier release versions. If the previous versions do contain the checksums, it can provide more information on when this issue has started.
  4. Contact Support: Reach out to the Adoptium support team or open an issue on the Adoptium GitHub repository to report the problem and get assistance.

Workarounds and Mitigations

While we wait for the issue to be resolved, here are a few things you can do:

  1. Use Older Versions: If possible, consider using an older version of the Adoptium binaries where the checksum files are available. This is the simplest workaround to maintain the integrity checks until the new versions are fixed.
  2. Manual Verification (Use with Caution): If you're comfortable, you can manually calculate the SHA-256 checksum of the downloaded binary and compare it with the expected checksum. Be very careful where you get the expected checksum from and ensure it is from a trusted source. This approach is more risky because you must find a reliable source for the expected checksum.
  3. Alternative Downloads: Look for alternative sources for the binaries. You could download the binary from another repository, but ensure you verify the checksum.

Conclusion: Addressing the Missing Checksums

The absence of SHA checksums for the aarch64 binaries is a valid concern, and it's essential that the Adoptium team addresses this problem promptly. This issue is a reminder of the importance of security and integrity verification in the software distribution process. The impact is significant and affects anyone who wants to verify the integrity of the downloaded files.

In the meantime, follow the suggested troubleshooting steps and workarounds to mitigate the issue. Keep an eye on the Adoptium GitHub repository for updates and announcements regarding the resolution. It's critical to download and verify binaries to protect your systems. Hopefully, this guide has helped you understand the situation and how to proceed. Keep your systems safe, and stay tuned for updates. 🚀