Update Influxdb checksum

[karthick-rn]

Whilst setting up the cluster for testing Accumulo 1.10.1-rc1, noticed Inflxudb 1.8.3 checksum had changed in the source end on 12 Nov 2020. This was after #379.

[ctubbsii]

That is weird that they changed the RPM but didn't bump the version number. Very strange. However, it does look like the RPM itself has a valid GPG signature, though I do not know what InfluxDB's official GPG key is to verify the trust chain. This new SHA512 is correct, though, for what's currently there as the 1.8.3 RPM.

[karthick-rn]

That is weird that they changed the RPM but didn't bump the version number. Very strange. However, it does look like the RPM itself has a valid GPG signature, though I do not know what InfluxDB's official GPG key is to verify the trust chain. This new SHA512 is correct, though, for what's currently there as the 1.8.3 RPM.

Yeah, it does seem strange. I've sent the below email to support@influxdata.com. For now, I'll go-ahead and merge this change. Thanks

Hello,
I've been using the stable Influxdb v1.8.3 from the repository. Recently, when downloading "influxdb-1.8.3.x86_64.rpm" using the Ansible yum module, it failed due to a mismatch in the checksum. I then noticed the RPM has been modified on 12 Nov 2020. This seems strange, I'd thought existing stable versions once created won't be modified and any changes will result in a new version of influxdb thereby producing a new checksum. 
Fortunately, I had a copy of the original RPM file which I did a cksum (1). Comparing this to the updated RPM (2), I see the file size remains the same(64097226). Do you know if anything actually changed in the updated RPM that has produced a different checksum?
 
1)
$ cksum influxdb-1.8.3.x86_64.rpm 
281633092 64097226 influxdb-1.8.3.x86_64.rpm

2)
$ cksum new/influxdb-1.8.3.x86_64.rpm 
2130743016 64097226 new/influxdb-1.8.3.x86_64.rpm

Thanks,
Karthick

[milleruntime]

@karthick-rn Thanks for sending that inquiring email. I would be curious as to their response as to the reason for the change.

[ctubbsii]

My current guess is that they aren't using the Release: field in the SPEC file properly when they make packaging fixes, since the filename doesn't contain an expected -%release component after the %version.

[karthick-rn]

@karthick-rn Thanks for sending that inquiring email. I would be curious as to their response as to the reason for the change.

Sure @milleruntime I'll update here once I hear back. Currently, I've been told the support engineer is reviewing the case & handed over the case # 00096537.

[karthick-rn]

Response from Influxdb support:

Hello Karthick,
We don't have any further updates at the moment on the checksum issue you reported since it looks like nothing has changed with the RPMs. At this point, can you let me know if any issues persist on your end or if we can close this ticket for now?
Best,
Onofre E.
Technical Support Engineer

My response:

Hello Onofre,
Thanks for the response. If the updated RPM is the same as the original RPM, wondering why the checksum would be different?
On our side, we have updated the new SHA512 checksum & able to download/install Influxdb successfully, however we are curious to understand this to avoid such failures in future.
Regards,
Karthick

[ctubbsii]

Hmm, it seems like they are unaware that their RPM actually did change. I wonder if anybody has a copy of the old one, so we can compare the two. It's possible it changed in a benign way (like by signing the RPM with rpm --addsign, which would have changed the checksum), but it would be nice to have both to compare to see what actually happened. Until it is figured out, I would probably avoid using features involving InfluxDB, as a lack of a good explanation is disturbing.

[karthick-rn]

I compared the 2 RPMs using pkgdiff and attached the report. Below is the screenshot of the actual change between the RPMs. As @ctubbsii rightly pointed, they've signed the RPM again on 12 Nov 2020 and apart from that there were no other changes. Not sure why they had to sign the package that was already released. I'll feed this back to the support team for more info.

[ctubbsii]

Thanks @karthick-rn ! I haven't heard about pkgdiff before, but it seems useful. From the report, it doesn't look like it checks the scriptlets, though (or other RPM header tags).

For me to have confidence that nothing important changed, I would probably want to do a direct comparison of the CPIO payloads in each (extracted with rpm2cpio file>file.cpio), and then also compare scripts with rpm -qp --scripts file.rpm. Since you seem to have a copy of the original RPM, before the change, can you upload it somewhere that can be shared for others to do additional checks if they wish (or to reproduce your checks)?

[karthick-rn]

Sure @ctubbsii. I have put the 2 RPMs in the zip file and they can be accessed via this link. This link will be active until 08 Jan 19:55 hrs.

[ctubbsii]

@karthick-rn Thanks. I uploaded them to here along with some helpful information for reference.

[ctubbsii]

I also confirmed (with rpm2cpio) that both CPIO payloads were identical, and confirmed (with rpm -qp --xml) that the only differences in the RPM header were the expected different Sigpgp and Rsaheader header tags. I double-checked with rpm -qp --scripts also, but that was a bit redundant, since --xml includes the scriptlets.

So, it really does appear that the only thing that changed was that somebody re-signed the RPM. Weird, but at least, we know the content didn't change in any way that would be a risk.

[karthick-rn]

Thanks @ctubbsii for confirming. I have included the checks you performed & uploaded the reports from pkgdiff to the support case. This should give them more information than they actually need to tell us why the RPM was re-signed.

[karthick-rn]

Response from Influxdb support:

07 Jan 2021:

"I've checked with our team but it looks like there is no specific reason as to why it may have changed. I'll continue to check to see if our dev team may have further feedback."

11 Jan 2021:

"Our team doesn't have any additional information in regards to any changes to the RPM signature. At this point, we will proceed to close this ticket but feel free to reach out if the issue resurfaces."

"We believe we have addressed your support request #00096537 - Checksum mismatch Influxdb 1.8.3. This request has been marked "solved." Please review resolution details below.
Overall Issue: Customer reported a checksum mismatch for InfluxDB 1.8.3 OSS.
Issue Cause: N/A
Issue Resolution: Our team didn't determine whether any changes to the RPM signature were made.
If you need further assistance, reply to this e-mail so that we can continue to assist you."

Support was unable to clarify why the RPM was re-signed. Given that we have checked both the old and new RPMs, and found the content has not changed, I think it's safe to use Influxdb features in fluo-muchos. However, if we see the checksum changing again then we'll report that here - https://github.com/influxdata/influxdb/issues. Let me know if you have any other thoughts?