Verifying JAR File after Installation – SIGNATURE MISTMACH

Hello Bisquists,

I have downloaded Bisq 1.6.4

OS: MacOS Mojave

I did the regular step to verify the binary:

gpg --digest-algo SHA256 --verify Bisq-1.6.4.dmg{.asc*,}

It worked fine.

However, there’s an issue with verifying the jar file in the bundle:

$ shasum -a256 desktop-1.6.4-all.jar
6ccd8b2d55ffbe58ea7498daffac287e719461528eec6f41ec1268280305362e  desktop-1.6.4-all.jar

Above output does not match the content of the file desktop-1.6.4-all.jar.SHA-256 which is also provided inside the bundle:

4d37b175aa0e75010d4acb526dadccbed242732630131c7226286009c7eba6c4

Hi @Palafox,

I’m replying to your post to +1 you on this problem.
Exact same issue here on MacOS Big Sur… The SHA-256 checksum provided in the release file (Bisq-1.6.4.jar.txt) doesn’t match the one I computed locally or that of this new file (desktop-1.6.4-all.jar.SHA-256)

Thanks for confirming on your side.

Someone’s looking into it:

thanks for reporting this. The build and packaging process did indeed change in v1.6.3/1.6.4 so we might have overlooked smth with the hash calculation. Looking into it

On Keybase: keybase://chat/bisq#support/23301

Yes, the hash verification doesn’t work right now as we get different jars on different OSes because of the new build that optimizes the jar for each OS. But what surprises me is that the jar you compute locally on macOS Big Sur is different to the one in Bisq.1.6.4.jar.txt as it is the one from the macOS jar build (which I do on a macOS Big Sur instance). I’ll have to double check if it is not a deterministic jar generation anymore. Did you build master or the release tag you compared with?