Package Details: chromium-widevine 1:4.10.2830.0-1

Git Clone URL: https://aur.archlinux.org/chromium-widevine.git (read-only, click to copy)
Package Base: chromium-widevine
Description: A browser plugin designed for the viewing of premium video content
Upstream URL: https://www.widevine.com/
Keywords: amazon chrome netflix prime webengine
Licenses: custom
Submitter: Scimmia
Maintainer: envolution
Last Packager: envolution
Votes: 419
Popularity: 0.086262
First Submitted: 2015-04-17 05:05 (UTC)
Last Updated: 2024-12-02 19:14 (UTC)

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 9 .. 36 Next › Last »

Vrakfall commented on 2019-10-18 14:37 (UTC)

Which seems to have been changed again? Or am I hallucinating?

Scimmia commented on 2019-10-18 14:00 (UTC)

Yes, nonce is going to be a real problem. I really don't like using SKIP for files, but I'm not seeing a good alternative in this case.

Segaja commented on 2019-10-18 13:41 (UTC)

From a security standpoint it makes no sense to calculate the checksum of a file that was just downloaded. IF the upstream server was compromised you would never know because you use the hash you just calculated from a corrupt file.

If you don't care about the hash (because it is an EULA file which is only in the package for legal reasons) you would be better of using just "SKIP" in the place of the checksum in the sha256sums array.

xuanruiqi commented on 2019-10-18 11:05 (UTC)

It wouldn't hurt to make the checksum 'SKIP'...

dari-it commented on 2019-10-18 10:33 (UTC) (edited on 2019-10-18 14:02 (UTC) by dari-it)

I changed the sha256sums-array in PKGBUILD:

sha256sums=( $(sha256sum chrome-eula_text-$_license_date.html | cut -d ' ' -f 1) '07abdccd7c15f5abe68765c1162f2ab666b6478a4d578aa6351d5667cd983a48' '3fda44a5b8b222434530f27923568de1fda1eb0caa8621b56a8b2a6a2a2e3d5d' )

The first entry calculates the hash now directly from downloaded eula-file... installation works.

UPDATE: Segaja is right. Generally it is a bad idea to recalculate the hash value of a downloaded file. But it's just an EULA file in this case, so I see no problem.

I didn't know you could insert 'SKIP'... This would be also a solution, of course.

p4c0m3yp4b3b3 commented on 2019-10-18 10:16 (UTC)

To avoid errors in checksums do this: yay -S --mflags --skipinteg chromium-widevine

nightuser commented on 2019-10-18 10:15 (UTC)

Same error here. I think this nonce value should be stripped of the package in order for the package to be reproducible.

xuanruiqi commented on 2019-10-18 10:03 (UTC)

Getting an error with checksums:

==> Validating source files with sha256sums...
chrome-eula_text-20191018.html ... FAILED
google-chrome-stable_77.0.3865.120-1_amd64.deb ... Passed
get_cdm_version.c ... Passed
==> ERROR: One or more files did not pass the validity check!

compguy284 commented on 2019-10-18 07:07 (UTC) (edited on 2019-10-18 07:32 (UTC) by compguy284)

The sha256sum for chrome-eula_text will keep changing now since it now has random nonce values generated by the server.

--- chrome-eula_text-20191017.html  2019-10-17 22:00:00.000000000 -0400
+++ chrome-eula_text-20191017a.html 2019-10-17 22:00:00.000000000 -0400
@@ -19,7 +19,7 @@
 <title>Google Chrome Terms of Service</title>
 <link href="https://www.google.com/images/icons/product/chrome-32.png" rel="icon" type="image/ico">
 <link href="https://www.google.com/chrome/privacy/eula_text.html" rel="canonical"> <!--[if (gte IE 10)|!(IE)]><!-->
-            <script nonce="B3sWAT0dO7y-QPVInYo8Nw">
+            <script nonce="LJJDTqDbWmaxs7XFm-my7A">
   (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
     m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -32,7 +32,7 @@
     linkSelector: 'a:not([ga-on])',
   });
 </script>
-            <script async src="https://www.gstatic.com/external_hosted/autotrack/autotrack.js" nonce="B3sWAT0dO7y-QPVInYo8Nw"></script> <!--<![endif]--><!--[if lte IE 9]>
+            <script async src="https://www.gstatic.com/external_hosted/autotrack/autotrack.js" nonce="LJJDTqDbWmaxs7XFm-my7A"></script> <!--<![endif]--><!--[if lte IE 9]>
             <script src="//www.google.com/js/gweb/analytics/autotrack.js"></script>
             <script>
   window.ga = new gweb.analytics.AutoTrack({
@@ -40,12 +40,12 @@
     cookiePath: '/chrome/'
   });
 </script> <![endif]--><!-- Google Tag Manager -->
-            <script nonce="B3sWAT0dO7y-QPVInYo8Nw">(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+            <script nonce="LJJDTqDbWmaxs7XFm-my7A">(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
 new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
 j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
 })(window,document,'script','dataLayer','GTM-PZ6TRJB');</script><!-- End Google Tag Manager -->
-<link rel="stylesheet" href="/chrome/static/css/main.v2.min.css" nonce="B3sWAT0dO7y-QPVInYo8Nw">
+<link rel="stylesheet" href="/chrome/static/css/main.v2.min.css" nonce="LJJDTqDbWmaxs7XFm-my7A">
 </head>
 <body>

j.taala commented on 2019-10-18 06:49 (UTC) (edited on 2019-10-18 06:59 (UTC) by j.taala)

sha256 for the first file that is sourced (chrome-eula_text-20191018.html) should be 08d31de581547c896cce01a4aea70cc87696410635a8516d58d171e0fdc82fba

Looks like google updated the eula (now at 20191018), which in the PKGBUILD is found by the last modified date but (of course) the sha256 in the PKGBUILD (for the first file) is now incorrect.

I've updated on my local repo and have tested - installed fine after the corrected sha256.