Clumps

Clumps

206M Downloads

Differing JAR Checksums Between Modrinth and Curseforge

Wyatt-James opened this issue ยท 6 comments

commented

Both Clumps-fabric-1.20.1-12.0.0.3.jar and Clumps-fabric-1.20.2-13.0.0.1.jar have identical JAR file sizes but different checksums between their Modrinth and Curseforge downloads. Inspecting the file in a hex editor shows pretty large differences. Could an explanation be provided?

Checksums all calculated by 7-zip 19.00 (x64) 2019-02-21 via Windows Context Menu option. All are SHA256.

Clumps-fabric-1.20.1-12.0.0.3 from Curseforge: DDB1062AC855E465C7C27C99668AA18F5C6087CA391B6754EEB959220CC4DCDE
Clumps-fabric-1.20.1-12.0.0.3 from Modrinth: EBE1D60192183F120D6D572B6EBE6562892A2783BC5A7F28A599497E10523B7E

Clumps-fabric-1.20.2-13.0.0.1 from CurseForge: 0076C660C637DF05E6D1981764AA8BC6E85F9C95065850D417E513FA5CF2266E
Clumps-fabric-1.20.2-13.0.0.1 from Modrinth: E64F7CF56B65AA551B033CEE4DFE26D659293933C3B25DFA2778B0E96366D717

commented

Now that is super interesting, my build scripts should be building the file once and uploading the same file to both platforms, as well as my maven, could you ease compare the files from here https://maven.blamejared.com/com/blamejared/clumps/

And see which site they match with, I'm wondering if some site is doing weird things they shouldn't be.

commented

Clumps, moborigins-1.11.1.jar, and shulkerboxtooltip-fabric-4.0.4+1.20.1.jar. All Fabric versions, and I haven't gotten around to checking any other releases of these mods yet.

MobOrigins is nearly identical, but many bytes throughout the JAR file are 0x4B on the Modrinth release and 0x5B on the CurseForge release. They seem to be only different in file headers, though I won't pretend to know exactly what they are for. The META-INF is also different, as expected.

Shulker Box Tooltip has a very different JAR layout (again, inspected in a hex editor) and is also 2 bytes smaller in the Modrinth release (1215693 vs 1215695 bytes).

commented

Clumps-fabric-1.20.2-13.0.0.1 from blamejared: 0076C660C637DF05E6D1981764AA8BC6E85F9C95065850D417E513FA5CF2266E
Clumps-fabric-1.20.1-12.0.0.3 from blamejared: DDB1062AC855E465C7C27C99668AA18F5C6087CA391B6754EEB959220CC4DCDE

The included .sha256 files from your repository also match these values.
It would appear that CurseForge is a match, but Modrinth is different.

It is worth noting that, out of 36 1.20.1 mods that I have checked for a server deployment, only three have been different between Modrinth and an alternate source, Clumps included. The alternate source is usually Curseforge, but sometimes GitHub if there is no corresponding Curseforge release. The other 33 mods compute the same checksum from both sites.

commented

Could you please provide the name of those three mods, I would like to take a look at their build systems and see if I can see anything that is similar in mine.

I also compared a few files of other mods from curseforge and modrinth and have not found other cases of differing hashes.

commented

Here are the SHA256 checksums for my copies of both of those mods:

moborigins-1.11.1.jar Curseforge: A417E6EF6F8217CAF9FACF0173AE7F31BB7A3CED6B8B4E16ABBAF6F26C8AF084
moborigins-1.11.1.jar Modrinth: 57D83E17257F33CA54A486254DBF14BBEDBA6F22CA43850E8BA46E500EE6A808

shulkerboxtooltip-fabric-4.0.4+1.20.1.jar CurseForge: BF2EE134119A845B55CEF1E52EDA4FC1EE433B8B06B58309090609794ADC209B
shulkerboxtooltip-fabric-4.0.4+1.20.1.jar Modrinth: F5077ADE6B9510B3BBBD3999D7BE75B6BF44A8252AFB33FC795B47E043F0614A

commented

From the sounds of it, those files are suffering from different issues.

I have bought this up with the modrinth team and hopefully we can figure out what is going on, my guess is that my build system is building a new jar file, sending it to curseforge / maven, and then building a new jar file with the exact same content but in a way that makes the hashes different and sending that jar file to modrinth.

The jar files should be safe from any of those sites, however if you would like some peace of mind in the mean time while I work with modrinth to figure this out, you can always extract the jar files and compare the hash of each individual file to ensure that they are the same