@metaanon, @huck, I added a check against checksum from binance file, PKGBUILD declared and checksum of the deb file downloaded... I feel more secure with this. Feel free to optimze if needed it.
Search Criteria
Package Details: binance 1.54.17-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/binance.git (read-only, click to copy) |
|---|---|
| Package Base: | binance |
| Description: | The Binance desktop application |
| Upstream URL: | https://www.binance.com/en/download |
| Keywords: | binance crypto electron |
| Licenses: | unknown |
| Submitter: | strahe |
| Maintainer: | strahe (metaanon, tyjak) |
| Last Packager: | metaanon |
| Votes: | 35 |
| Popularity: | 0.40 |
| First Submitted: | 2020-09-10 08:20 (UTC) |
| Last Updated: | 2025-03-26 13:31 (UTC) |
Dependencies (2)
- coreutils (coreutils-gitAUR, busybox-coreutilsAUR, coreutils-selinuxAUR, coreutils-uutilsAUR) (check)
- curl (curl-gitAUR, curl-c-aresAUR) (check)
Required by (0)
Sources (1)
tyjak commented on 2021-04-28 08:44 (UTC)
tyjak commented on 2021-04-28 07:29 (UTC)
@huck, I'm totally agree with you, I did the check for 1.14.3-1. I'm co-maintainer, and I'm wondering if it's possible to add a check in the install script, since Binance could be updated very frequently... Like get the sha256sum from binance and check it against the deb file downloaded and against the sha256sum from PKGBUILD in the install procedure.
Otherwise, I'm thinking of not installing by AUR, if I can't be sure that the sha256sum is verified by one of the co-maintainer...
Todd commented on 2021-04-28 00:37 (UTC)
I see that this package is updated with the latest binance application release. However, after downloading the .deb file from binance.com and attempting to verify it with the sha256 checksum does not verify the application as original. Therefore, the application could contain malware or binance must not have updated the checksum. I am assuming that you didn't verify the application prior to updating the AUR package with the lasted release either. I would be wary of upgrading the binance application to its latest version until binance has updated the checksum.
dougEfish commented on 2021-04-23 10:40 (UTC) (edited on 2021-04-23 10:41 (UTC) by dougEfish)
1.15.2
diff --git a/.SRCINFO b/.SRCINFO
index 699d6d6..7c61a17 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,13 +1,13 @@
pkgbase = binance
pkgdesc = The Binance desktop application
- pkgver = 1.15.1
+ pkgver = 1.15.2
pkgrel = 1
url = https://www.binance.com/en/download
arch = x86_64
license = unknown
depends = electron
- source = binance-1.15.1.deb::https://ftp.binance.com/electron-desktop/linux/production/binance-amd64-linux.deb
- sha256sums = fa6edaa265b3870c7a449b315dc2bc5b68fd459801dd71672c6454872a161536
+ source = binance-1.15.2.deb::https://ftp.binance.com/electron-desktop/linux/production/binance-amd64-linux.deb
+ sha256sums = 00f85c34fdb270fb0e3f030c07ed00faef28273a0dc8dc0433929ed22deeb53f
pkgname = binance
diff --git a/PKGBUILD b/PKGBUILD
index 9bd9df9..3d7be8c 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
# Maintainer: tyjak
pkgname=binance
-pkgver=1.15.1
+pkgver=1.15.2
pkgrel=1
pkgdesc="The Binance desktop application"
arch=('x86_64')
@@ -12,7 +12,7 @@ license=('unknown')
depends=('electron')
source=('https://ftp.binance.com/electron-desktop/linux/production/binance-amd64-linux.deb')
source=("${pkgname}-${pkgver}.deb::https://ftp.binance.com/electron-desktop/linux/production/binance-amd64-linux.deb")
-sha256sums=('fa6edaa265b3870c7a449b315dc2bc5b68fd459801dd71672c6454872a161536')
+sha256sums=('00f85c34fdb270fb0e3f030c07ed00faef28273a0dc8dc0433929ed22deeb53f')
package() {
bsdtar -xv -C "${pkgdir}" -f "${srcdir}/data.tar.xz"
ast commented on 2021-04-20 19:10 (UTC)
@metaanon, 1.15.1 is working perfectly. Really appreciate your effort. Thanks!
metaanon commented on 2021-04-20 19:04 (UTC)
This package had already been flagged out of date. Binance don't version their releases, just replace the file and sha with a newer one. Nothing I can do about that. I've updated the aur package to 1.15.1 so you should be good to go.
ast commented on 2021-04-20 18:39 (UTC) (edited on 2021-04-20 18:46 (UTC) by ast)
It keeps happening even after re-downloading the package a couple of times.
==> Making package: binance 1.15.0-1
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Downloading binance-1.15.0.deb...
==> Validating source files with sha256sums...
binance-1.15.0.deb ... FAILED
==> ERROR: One or more files did not pass the validity check!
Failed to build binance
metaanon commented on 2021-03-21 09:50 (UTC)
Now I'm a co-maintainer on this package I've updated to the latest version and tried to address some of the issues mentioned by @ainola.
If anyone has any issues please let me know.
ainola commented on 2021-03-21 04:32 (UTC)
Maintainers, please review the PKGBUILD here as it has multiple flaws that require addressing:
-
Do not skip the checksum. Please bug upstream about having versioned releases so that their pushing an update does not break the published version here.
-
Remove unused lines such as optdepends()
-
There are no dependencies listed, which is likely incorrect.
-
Quote your shell variables.
waasl commented on 2021-03-13 20:07 (UTC)
Thank you, great up to date package from the source, verified checksum, easy install, no bloatware (electron). Just werks.
Pinned Comments
metaanon commented on 2021-05-13 07:29 (UTC) (edited on 2021-05-13 08:08 (UTC) by metaanon)
Binance don't version their binaries. They simply replace the binance-amd64-linux.deb with a newer version. This means you will correctly receive a validity check error as the deb file no longer matches with the SHA sum.
Please confirm the latest Binance version and then mark this package as out of date.
Unless Binance change their release strategy or someone can come up with a clever solution, it is what it is.