Sha512 checksum

Hey Team,

I have issue with sensu go ,where if we try to update checksum key in asset ,its not catching up and also its not creating any key folder in sensu agent.

We are using 6.2.1 version of sensu image.
[ 6.2.1+ee, enterprise edition, build 4618bdc72f45850b74cfd527a5e691d0f43c42e5, built 2021-01-08T15:08:29Z, built with go1.13.15]

once we added a new files and updated the sha512 key, but checks are failing to update the checksum key. We are using github to store the assets

Here is the error .

error getting assets for check: could not validate downloaded asset β€œsensu-go-hello-world-asset” (6.9 kB): sha512 of downloaded asset (2a5c7911afae946deeeaaf33f4dcf2c3ebe3f3d0d886c18bb52ede76fa862c37a491e82882ad7c8d8daf461bac4c0535bd14c045573079f64b2b0a169babbf1a) does not match specified sha512 in asset definition (f5dba600cdf978ac80bd5b4d333afb9ed96d9f72433fb4adb313ba3d92dbc3343842e00e925c4eed7e077b25fa91668820a1eeba6286f891c1bfde0bd7de1351)

Its generating new key every time, not sure whats happening. can you please help here.

sensuctl asset list
Name URL Hash
──────────────────────────── ─────────────────────────────────────────────────────────────────── ─────────
sensu-go-hello-world-asset https://abc.git/sensu-go-hello-world-0.0.1.tar.gz f5dba60

type: Asset
api_version: core/v2
name: sensu-go-hello-world-asset
namespace: default
url: https://abc.git/sensu-go-hello-world-0.0.1.tar.gz
sha512: f5dba600cdf978ac80bd5b4d333afb9ed96d9f72433fb4adb313ba3d92dbc3343842e00e925c4eed7e077b25fa91668820a1eeba6286f891c1bfde0bd7de1351

shasum512.txt file uploaded in the git contains below sha512 characters with file name

f5dba600cdf978ac80bd5b4d333afb9ed96d9f72433fb4adb313ba3d92dbc3343842e00e925c4eed7e077b25fa91668820a1eeba6286f891c1bfde0bd7de1351 sensu-go-hello-world-0.0.1.tar.gz

β€œIts generating new key every time, not sure whats happening. can you please help here.”

Are you saying that the 2a5c... is changing in the error message? Basically that would mean that every time the agent is trying to download the asset, its calculating a different checksum from the downloaded file.

The error message is informing you that the downloaded asset, isn’t passing the checksum verification.
In the error message you gave the 2a5c... is the checksum the sensu-agent is calculating after download the asset. The f5ab... is the expected checksum defined in the asset definition.

Is the url in the asset definition valid? Can you use the url and manual download the file and verify the sha512 checksum is f5ad... after download on the host where sensu-agent is running?

Assuming you have verified that the download has the correct sha512 outside of sensu-agent, then its potentially a truncated download for some reason. sensu-agent on a linux system downloads into /tmp and does checksum verification there before unpacking into the correct /var/cache location. If space in /tmp` is limited, that might cause a download to truncate.

Unfortunately I can’t test your asset verification myself, as you’ve obfuscated the actual url.

Are you seeing similar problems with public assets from bonsai or with just the asset you are hosting on github?

1 Like

Thanks @jspaleta for narrowing it down, Really helpful.

Issue was with file (assets) placed in private Github repo, Everytime we tried to download asset with curl SHASUM characters were changing hence SHA verification was failing (Not sure what might be the cause).

We tried Python’s SimpleHTTPserver to host the directory and check, Now its working as expected.
Agent was able to download asset

Thanks Again! for detailed and quick reply.

hmm… were the downloads directly from github what you were expecting? Could you unpack the gzipped tar archive and see the contents? The fact that github was giving you something unexpected in terms of checksum…seems very odd.

It’s the private github repository i think that’s the problem. I don’t think there is a a clean way to get access to private github release artifacts…without using the github api and referencing the asset id associated with the file.
It’s a bit wonky… you have to go through the github api. I bet you a doughnut that your curl commands were not retrieving the tarball, but were getting some sort of error response from github.

Here’s how you pull releases from a private repo with with curl…it’s not straight-forward.

To get it to work with Sensu, you may have decurate the asset with some additional http request headers like the curl command in that gist. I haven’t tried myself yet. I’ll add it to the list of things to try.

Also you should be aware that github does rate limit its api requests… so serving assets from github releases directly may not work well beyond a small deployment. We ran into this quite early on with Bonsai, we originally had assets served from github, but we quickly had to move to a CDN cache of the assets because the Bonsai assets were so popular that users were triggering the github api rate limit.

1 Like