Bug 14866

Summary: sha256sum reports false mismatch if input not delimited by two spaces
Product: Busybox Reporter: rittneje+bugzilla
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description rittneje+bugzilla 2022-06-24 20:29:59 UTC 
For some reason, the Alpine version of sha256sum requires two spaces between the hash and file path. No other version of sha256sum has this requirement.

See https://github.com/alpinelinux/docker-alpine/issues/246 for further details.
Comment 1 wolf+busybox 2022-06-26 17:23:31 UTC 
As far as I know all versions of sha256sum do generate the output with two spaces (or rather, one space and one character for mode indicator). Why do you feed it something else?
Comment 2 rittneje+bugzilla 2022-06-26 18:21:14 UTC 
Particularly with a Dockerfile, people are not always literally feeding the output of sha256sum to itself. It's pretty common to hand-write the echo instead. And the double space is very easy to overlook.

As I mentioned, this is particularly confusing because (1) no other implementation of sha256sum cares, and (2) this implementation never clearly states what the problem is. Consequently people come to the conclusion that it is broken.
Comment 3 Denys Vlasenko 2022-07-11 12:38:20 UTC 
Fixed in git
Comment 4 Evan Carroll 2023-02-26 15:50:11 UTC 
I'm currently using alpine:latest which is still running BusyBox 1.35 and it's affected by this specific bug, but I can't find the source code or patch for sha256sum in the BusyBox project. This was in fact very confusing. It's easy to introduce this bug in the system with `echo`, which will take two arguments and always use 1 space when joining them.

# sha256sum myfile.xz 
8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b  myfile.xz
# echo 8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b  myfile.xz
8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b myfile.xz
# echo 8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b  myfile.xz | sha256sum -c
sha256sum: WARNING: 1 of 1 computed checksums did NOT match
# echo "8f55c5a97591f1bebdeaff02cdd0d19b8161c1bcba4f2009a7e204c57c85981b  myfile.xz" | sha256sum -c
myfile.xz: OK
Comment 5 Denys Vlasenko 2023-02-27 16:46:48 UTC 
commit 3ad3aa6441ebaf817137051de2b74cb6b4379e7f
Author: Denys Vlasenko <vda.linux@googlemail.com>
Date:   Mon Jul 11 14:36:39 2022 +0200

    shaNNNsum: accept one-space "HASH FILENAME" format for -c, closes 14866