PureOS 10 Byzantium - isolinux.bin checksum FAIL

wizmag · September 1, 2021, 7:15am

I have downloaded PureOS 10 Byzantium from the front page of pureos.net at the following URL

https://downloads.puri.sm/byzantium/gnome/2021-07-05/pureos-10~devel-gnome-live-20210705_amd64.iso

A sha256sum matches the published checksum as follows:

$ sha256sum pureos-10_devel-gnome-live-20210705_amd64.iso
d6f0d8d8fbf1ee34fea8fdef5c3d4073e9999ae38ff6b097ccfc9b32b90bdf2f pureos-10_devel-gnome-live-20210705_amd64.iso

HOWEVER, inside the ISO the file md5sum.txt lists the md5 checksums for every file. All verify EXCEPT for isolinux/isolinux.bin as follows:

$ grep isolinux.bin md5sum.txt
c3387bb5f62c3df90e50915b1b4495b2 ./isolinux/isolinux.bin

$ md5sum isolinux/isolinux.bin
0dc2616f421f6dfb38546eb04b626b00 isolinux/isolinux.bin

This is NOT a good sign. Can anyone explain and/or verify this situation themselves please?

m4lvin · September 1, 2021, 7:20pm

I can verify this.

$ grep isolinux.bin md5sum.txt
c3387bb5f62c3df90e50915b1b4495b2  ./isolinux/isolinux.bin
$ md5sum isolinux/isolinux.bin
0dc2616f421f6dfb38546eb04b626b00  isolinux/isolinux.bin

Are these images created reproducibly? I only know about the jenkins instance for Librem 5 images at https://arm01.puri.sm/ but maybe there is something similar for amd64 PureOS?

joao.azevedo · September 3, 2021, 11:04am

@wizmag thanks for the report it is being triaged here: https://tracker.pureos.net/T1073

m4lvin · September 4, 2021, 1:13pm

It seems this problem is not unusual and not specific to PureOS. In this discussion here someone mentions that genisoimage (which afaik is used to pack up files into a bootable iso file) wants to modify the isolinux.bin file, but this is done after the md5sum list is created.