Sensu-email-handler asset hash changed, but no new release?

Description of your problem

While setting up a new sensu-backend and testing our email handler with the sensu-email-handler asset, we noticed a hash mismatch. There hasn’t been a new release from what I can see on GitHub. Bonsai states the assets have last been changed on April 25, 2024. We are using this asset declaratively with sensu-flow and the hash 81ffd8095c1a6b489b6eca2eae76b84f9943c59877c28e1191c0acc89055bf58d53b4fba3356ddac6572d5fe5e6a62ff018f15b7cd3ecbc37263d3fdb5a0660d worked fine for us before. Is this a security issue?

EDIT: The hash we used before matches the one published in the release hash list on GitHub.

81ffd8095c1a6b489b6eca2eae76b84f9943c59877c28e1191c0acc89055bf58d53b4fba3356ddac6572d5fe5e6a62ff018f15b7cd3ecbc37263d3fdb5a0660d  sensu-email-handler_1.2.2_linux_amd64.tar.gz

Description of steps you’ve taken to attempt to solve the issue

Environmental information

Operating system information

  • RHEL (AlmaLinux 9)

Package versions

  • Sensu Go: 6.11.0+ee
  • Etcd: built-in
  • PostgreSQL: n/a

Plugin information

Service logs, configuration, and environment variables

May 23 15:41:02 sensu1.dc.our.domain sensu-backend[501446]: {
  "check_name": "keepalive",
  "check_namespace": "default",
  "component": "pipeline/legacy",
  "entity_name": "sensu3.dc.our.domain",
  "entity_namespace": "default",
  "error": "could not validate downloaded asset \"sensu-email-handler\" (6.9 MB): sha512 of downloaded asset (4a68f45f34c3e7a6eab100f04b6451e713cc302f7d00a23d619515ffff03295212c3be9d982e4572e9c23b2f5935b11710371378e4191cdd6f846da917a0ea69) does not match specified sha512 in asset definition (81ffd8095c1a6b489b6eca2eae76b84f9943c59877c28e1191c0acc89055bf58d53b4fba3356ddac6572d5fe5e6a62ff018f15b7cd3ecbc37263d3fdb5a0660d)",
  "event_id": "db8b777f-c7cc-4e22-aac4-0503469b2b33",
  "handler_name": "email",
  "handler_namespace": "default",
  "level": "error",
  "msg": "failed to retrieve assets for handler",
  "pipeline": "legacy-pipeline",
  "pipeline_workflow": "legacy-pipeline-workflow-email",
  "time": "2024-05-23T15:41:02Z"
}

Hey Jhonas, welcome! :wave:

The Bonsai asset SHAs match those released on draft 1.2.2, mistakenly released on Bonsai recently. If you look at the page below, it has the same commit as it was released.

Releases · sensu/sensu-email-handler · GitHub.

The engineering team has noted they plan to release a new version with library updates.

1 Like