The MD5 sum of the VirtualBox production image does not match the MD5 file

From the page https://erpnext.com/download one can download a production image http://build.erpnext.com/ERPNext-Production.ova.
However, when I run an md5sum check on the downloaded file, it is different than the the one in the corresponding downloadable MD5 file.

Using the md5command in Linux gives an MD5 sum of “dbbc86c909a5601c7bb4c43816740237”
However, the MD5 file provided by ERPNext contains: “a5cdcc996d10361fc8a0f2a13edfee1b”

Am I doing something wrong or is there a problem of some kind?

In regards to security, one might also consider placing the check sum file in a different place. If the website containing the image file itself get hacked so that the image is replaced with a malware infected version, in all likelihood the MD5 check file will itself have been hacked and changed as they are in the same location.

This is a valid point.

I’ve just checked development image and it’s fine:

~/HDD/data$ md5sum -c ERPNext-Dev.ova.md5 
ERPNext-Dev.ova: OK

The checksum is 3fd1cf4cd853f20fe3d9e7e63bd92e1f

The only problem is that .md5 file contains checksum only, while it should contain the name of file as well, e.g. 3fd1cf4cd853f20fe3d9e7e63bd92e1f ERPNext-Dev.ova

Good that the develop image check sum is okay.

However, I am not going to use the production image unless I am sure that it also is okay. Perhaps it is me that just does not understand how to use the check sum:

I downloaded the production image file: `ERPNext-Production.ova
I then proceed by downloading the MD5 file: ERPNext-Production.ova.md5

I run the md5sum command: md5sum -b ERPNext-Production.ova
Result:
dbbc86c909a5601c7bb4c43816740237 *ERPNext-Production.ova

I open the file ERPNext-Production.ova.md5 as it is just a text file.
Contents:
a5cdcc996d10361fc8a0f2a13edfee1b

Should the the content of the MD5 file not be the same as the result of running the md5sum command directly (-b) on the OVA file with the image? (Besides the checksum file not containing the name of the file that it has the checksum for).

@Orion Thanks for reporting. Will fix this.

@shreyasp can you make sure the correct checksum is updated

CC @vjFaLk

@Orion Good catch!

Seems that the build failed. The Production VM is generated first, and then the Develop VM + Vagrant box, after that, MD5 hashes are generated. The Build failed right after the Production VM was generated which explains the newer Production VM, but older Dev VM and MD5 hashes. I actually had it setup to send me an email if it fails, but I didn’t get any.

@shreyasp You’ll have to login to the build server and run the build.py file manually and see what’s wrong. I don’t have access. An improvement could be to generate MD5 hash files after every successful image generation.

If one didn’t pay attention to this and is running that prod VM in production now … what should that person do?

Relax & keep going or reinstall & migrate?

The server wasn’t compromised, it was merely a failure of the builds completing and the MD5 hashes generating. However, if you don’t feel comfortable with that, just wait till the issue is resolved and all the images are updated and so are the md5 hashes.

Also, have a look at the date of the builds. Did you use that one specifically?

that means from your perspective anyone who might be running that VM could “Relax & keep going”, right?

Correct

@Orion @strixaluco

Develop -VM has been corrected and now there should not be any problems with MD5 sums.

Thanks, @shreyasp. Did you mean production VM? Develop image was fine.

@strixaluco

There was an issue with develop-vm image due to some missing dependencies which were added for integration services feature that was added to v7.1-beta. Had to add them and regenerate the images for develop.