Check hash of downloaded setup

[mlocati]

What about checking the SHA-512 hash of the downloaded setup?

Reference: https://cygwin.com/install.html#hash

[mlocati]

About the failures: they are expected since the SHA-512 of the downloaded setup is not the expected one: there's no CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E hash in the official list of hashes (there's really something that should be fixed in the distribution of the Cygwin installer IMHO)

[jon-turney]

Thanks. Yes, this seems like a sensible thing to do.

As discussed in #9, it would also be nice if this whole thing was a bit more robust against transient problems...

[jon-turney]

expected

Well, not really, since that's not the hash of the file being served by cygwin.com.

[mlocati]

expected

Well, not really, since that's not the hash of the file being served by cygwin.com.

Which "expected" are you referring to?
To an expected SHA-512 hash? Which one?

Accordingly to the docs, the SHA-512 of the current setup-x86_64.exe file should be the one included in https://cygwin.com/sha512.sum

Current'y, it should be 085defb2be45ac527617496779f1d440dc3b5777f08c2deed7597e1aeacc3b5c3d1e5047523b7505195ee8f8a48dec3c3107d9197ffd9833e00d22c81cfc22ec, but we have (randomly) also a SHA-512 hash that's different... Try running this script:

$ErrorActionPreference = 'Stop'
$local = New-TemporaryFile
try {
    for ($i = 1; $i -le 10; $i++) {
        Invoke-WebRequest -Uri https://cygwin.com/setup-x86_64.exe -OutFile $local
        $hash = $(Get-FileHash -LiteralPath $local -Algorithm SHA512).Hash
        Write-Host -Object "Cycle #$($i): $hash"
    }
} finally {
    Remove-Item -LiteralPath $local
}

You'll have (for example):

Cycle #1: 085DEFB2BE45AC527617496779F1D440DC3B5777F08C2DEED7597E1AEACC3B5C3D1E5047523B7505195EE8F8A48DEC3C3107D9197FFD9833E00D22C81CFC22EC
Cycle #2: 085DEFB2BE45AC527617496779F1D440DC3B5777F08C2DEED7597E1AEACC3B5C3D1E5047523B7505195EE8F8A48DEC3C3107D9197FFD9833E00D22C81CFC22EC
Cycle #3: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #4: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #5: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #6: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #7: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #8: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #9: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Cycle #10: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E

And if we download the setup-x86_64.exe installer with the SHA-512 hash that starts with cf83 the action fails with the error we currently see in the CI tests:

Program 'setup.exe' failed to run: The specified executable is not a valid application for this OS platform

[dra27]

cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e is the sha512 of the empty file (cf. echo -n '' | sha512sum). On my system (i.e. nothing to do with GitHub Actions), this seems to be happening quite easily.

[mlocati]

On my system (i.e. nothing to do with GitHub Actions), this seems to be happening quite easily.

I am also having this problem locally: see https://cygwin.com/pipermail/cygwin/2024-October/256604.html

[mlocati]

Since the installer and the signature file can be published at different times (see here), we may have false positives.

So, I'd discard this pull request...

[jon-turney]

Since the installer and the signature file can be published at different times (see here), we may have false positives.

I will be correcting the misinformation in that email, when I have a spare moment.

[mlocati]

zf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e is the sha512 of the empty file

I've updated this PR (a19f025) to check if the downloaded setup is empty

[jon-turney]

Merged, thanks!