Arch Linux User Repository

ATTENTION:

This package is no longer needed for Chromium, it can download the component itself. With Chromium 81, you can either use this or let it download the component, but when Chromium 83 is updated in the Arch repos, it will ignore this package all together.

I'll maintain this package for a while for the other systems that use it.

Yes, nonce is going to be a real problem. I really don't like using SKIP for files, but I'm not seeing a good alternative in this case.

From a security standpoint it makes no sense to calculate the checksum of a file that was just downloaded. IF the upstream server was compromised you would never know because you use the hash you just calculated from a corrupt file.

If you don't care about the hash (because it is an EULA file which is only in the package for legal reasons) you would be better of using just "SKIP" in the place of the checksum in the sha256sums array.

It wouldn't hurt to make the checksum 'SKIP'...

I changed the sha256sums-array in PKGBUILD:

sha256sums=( $(sha256sum chrome-eula_text-$_license_date.html | cut -d ' ' -f 1) '07abdccd7c15f5abe68765c1162f2ab666b6478a4d578aa6351d5667cd983a48' '3fda44a5b8b222434530f27923568de1fda1eb0caa8621b56a8b2a6a2a2e3d5d' )

The first entry calculates the hash now directly from downloaded eula-file... installation works.

UPDATE: Segaja is right. Generally it is a bad idea to recalculate the hash value of a downloaded file. But it's just an EULA file in this case, so I see no problem.

I didn't know you could insert 'SKIP'... This would be also a solution, of course.

To avoid errors in checksums do this: yay -S --mflags --skipinteg chromium-widevine

Same error here. I think this nonce value should be stripped of the package in order for the package to be reproducible.

Getting an error with checksums:

==> Validating source files with sha256sums...
chrome-eula_text-20191018.html ... FAILED
google-chrome-stable_77.0.3865.120-1_amd64.deb ... Passed
get_cdm_version.c ... Passed
==> ERROR: One or more files did not pass the validity check!

The sha256sum for chrome-eula_text will keep changing now since it now has random nonce values generated by the server.

--- chrome-eula_text-20191017.html  2019-10-17 22:00:00.000000000 -0400
+++ chrome-eula_text-20191017a.html 2019-10-17 22:00:00.000000000 -0400
@@ -19,7 +19,7 @@
 <title>Google Chrome Terms of Service</title>
 <link href="https://www.google.com/images/icons/product/chrome-32.png" rel="icon" type="image/ico">
 <link href="https://www.google.com/chrome/privacy/eula_text.html" rel="canonical"> <!--[if (gte IE 10)|!(IE)]><!-->
-            <script nonce="B3sWAT0dO7y-QPVInYo8Nw">
+            <script nonce="LJJDTqDbWmaxs7XFm-my7A">
   (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
     m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -32,7 +32,7 @@
     linkSelector: 'a:not([ga-on])',
   });
 </script>
-            <script async src="https://www.gstatic.com/external_hosted/autotrack/autotrack.js" nonce="B3sWAT0dO7y-QPVInYo8Nw"></script> <!--<![endif]--><!--[if lte IE 9]>
+            <script async src="https://www.gstatic.com/external_hosted/autotrack/autotrack.js" nonce="LJJDTqDbWmaxs7XFm-my7A"></script> <!--<![endif]--><!--[if lte IE 9]>
             <script src="//www.google.com/js/gweb/analytics/autotrack.js"></script>
             <script>
   window.ga = new gweb.analytics.AutoTrack({
@@ -40,12 +40,12 @@
     cookiePath: '/chrome/'
   });
 </script> <![endif]--><!-- Google Tag Manager -->
-            <script nonce="B3sWAT0dO7y-QPVInYo8Nw">(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+            <script nonce="LJJDTqDbWmaxs7XFm-my7A">(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
 new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
 j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
 })(window,document,'script','dataLayer','GTM-PZ6TRJB');</script><!-- End Google Tag Manager -->
-<link rel="stylesheet" href="/chrome/static/css/main.v2.min.css" nonce="B3sWAT0dO7y-QPVInYo8Nw">
+<link rel="stylesheet" href="/chrome/static/css/main.v2.min.css" nonce="LJJDTqDbWmaxs7XFm-my7A">
 </head>
 <body>

sha256 for the first file that is sourced (chrome-eula_text-20191018.html) should be 08d31de581547c896cce01a4aea70cc87696410635a8516d58d171e0fdc82fba

Looks like google updated the eula (now at 20191018), which in the PKGBUILD is found by the last modified date but (of course) the sha256 in the PKGBUILD (for the first file) is now incorrect.

I've updated on my local repo and have tested - installed fine after the corrected sha256.

I tried to install 1:4.10.1503.4-2 but:

"ERROR: One or more files did not pass the validity check!"