SnapinClient ERROR: Hash does not match
-
Hello,
On installed FOG dev-branch version: 1.5.10.1854 I have a problem with deploying snapins.
fogclient downloads file in C:\Program Files (x86)\FOG\tmp. The size of file is usually 1kb.
In fog log i get : SnapinClient ERROR: Hash does not match
I have checked on server sha512sum and size of installation file and it seems ok.
Any help is much appreciated.
GregorS
-
@GregorS The file size is likely the problem. The EXE you have is literally 1KB (on th emachine I suspect was the one expecting the file?
How big is the actual file on the server? FOG Client is saying “the file we got doesn’t match what is expected as per the information on the server”
-
@Tom-Elliott The file is 16MB.
-
@GregorS Right, the problem is the download failed. Why it failed, I don’t know.
Basically the FOG Client isn’t downloading the file right now, at least not fully.
Are you able to read the file as in a text?
Maybe there’s textual data hidden in there:
You can usually do that with something like opening cmd and running:
type “filename”
If the file is still recognized as binary data the command window may show wonky characters, but otherwise no less wear or tear or anything and you’re not accidentally running a broken application on the system. You’re literally just trying to read the contents of the file.
I am sneakily suspecting a change to how we’re trying to cleanup potential XSS Unauth paths is causing this problem and will want to get it fixed.
While i could try to replicate the problem myself, it’s not a simple thing to replicate at least on my side of things anymore
-
@Tom-Elliott said in SnapinClient ERROR: Hash does not match:
Are you able to read the file as in a text?
Yes. See picture attached.
-
This is the same file downloaded from the same fog server (just with powershell iwr and saved to different folder)
Hope it helps…
-
@GregorS Well the good news is it is binary data (that’s why it looks so garbled) bad news is it’s not downloading the whole file which is why you’re getting the error. Do any snapins work? Or are all snapins broken?
-
@Tom-Elliott I tried 3 snapins all returned SnapinClient ERROR: Hash does not match…
-
Found it. The ~1KB you were seeing isn’t a truncated snapin — it’s a 6-byte #!auth error response that the FOG Client wrote to disk and then hashed (which of course doesn’t match the real snapin’s SHA512).
The root cause is on me. A recent security patch on dev-branch added a token check on the snapin download/checkin endpoints, but the deployed FOG Client doesn’t know to send that token — so every legitimate snapin download was getting rejected with #!auth. Closing one hole, opening a different one. Sorry about that.
I’ve reverted the patch on both dev-branch and working-1.6. If you pull the latest and re-run the installer (or just git pull + your usual deploy method), snapins should start working again. Versions to look for:
dev-branch: 1.5.10.1856
working-1.6: 1.6.0-beta.2336
The underlying security issue this was meant to address still needs a real fix, but that requires coordinated changes to both the server and the FOG Client itself, so it’ll be a future release rather than a hotfix.Let me know if pulling the revert gets your snapins running, and thanks for the detailed report — the “binary garbage” file you described was the clue that cracked it.
