Skip to content

Use SHA-256 checksums instead of MD5 for checking file integrity#4909

Merged
akohlmey merged 5 commits into
lammps:developfrom
akohlmey:replace-md5-with-sha256
Mar 10, 2026
Merged

Use SHA-256 checksums instead of MD5 for checking file integrity#4909
akohlmey merged 5 commits into
lammps:developfrom
akohlmey:replace-md5-with-sha256

Conversation

@akohlmey

@akohlmey akohlmey commented Mar 10, 2026

Copy link
Copy Markdown
Member

Summary

This replaces all MD5 checksums with SHA-256 checksums.
MD5 has been shown to be unreliable and our required minimum CMake version supports checking against SHA-256 checksums.

Related Issue(s)

See comment by GitHub Copilot on PR #4908

Author(s)

Axel Kohlmeyer, Temple U

Licensing

By submitting this pull request, I agree, that my contribution will be included in LAMMPS and redistributed under either the GNU General Public License version 2 (GPL v2) or the GNU Lesser General Public License version 2.1 (LGPL v2.1).

Artificial Intelligence (AI) Tools Usage

By submitting this pull request, I confirm that I did NOT use any AI tools to generate
all or parts of the code and modifications in this pull request.

Backward Compatibility

N/A

Implementation Notes

Since the traditional make build no longer supports packages that need to download libraries, we only need to check for compatibility with the CMake build system.

Post Submission Checklist

  • The feature or features in this pull request is complete
  • Licensing information is complete
  • Corresponding author information is complete
  • The source code follows the LAMMPS formatting guidelines
  • Suitable new documentation files and/or updates to the existing docs are included
  • The added/updated documentation is integrated and tested with the documentation build system
  • The feature has been verified to work with the conventional build system
  • The feature has been verified to work with the CMake based build system

@akohlmey akohlmey self-assigned this Mar 10, 2026
@akohlmey
akohlmey requested a review from Copilot March 10, 2026 11:14
@akohlmey akohlmey added the cmake label Mar 10, 2026
@akohlmey akohlmey moved this to Ready for Review or Merge in LAMMPS Pull Requests Mar 10, 2026
@akohlmey akohlmey changed the title se SHA-256 checksums instead of MD5 for checking file integrity Use SHA-256 checksums instead of MD5 for checking file integrity Mar 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes LAMMPS’ download/integrity verification by replacing MD5-based archive checks with SHA-256 across CMake build logic, related tooling, and associated documentation.

Changes:

  • Replace MD5 checksum variables/usages with SHA-256 in CMake modules and tool/package download logic (URL_HASH, EXPECTED_HASH, and local file(SHA256 ...) checks).
  • Update external potential fetching to verify SHA-256 sums and update at least one package potentials.txt entry accordingly.
  • Update build documentation to reference the new SHA-256 cache variables.

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
unittest/force-styles/CMakeLists.txt Switch libyaml integrity check from MD5 to SHA-256 for unit-test dependencies.
unittest/CMakeLists.txt Switch googletest integrity check from MD5 to SHA-256.
tools/phonon/CMakeLists.txt Switch spglib download verification to SHA-256.
tools/lammps-gui/CMakeLists.txt Switch WHAM download verification to SHA-256.
src/MESONT/potentials.txt Update potentials checksum metadata from MD5 to SHA-256.
src/Fetch.sh Use sha256sum for potential file integrity verification.
examples/plugins/LAMMPSInterfaceCXX.cmake Switch MS-MPI archive verification to SHA-256 for Windows cross compilation example.
doc/src/Build_extras.rst Update MBX/ML-PACE docs to reference SHA-256 cache variable names.
cmake/Modules/Tools.cmake Switch WHAM download verification to SHA-256 in CMake tooling.
cmake/Modules/Packages/VORONOI.cmake Switch Voro++ download verification to SHA-256.
cmake/Modules/Packages/SCAFACOS.cmake Switch ScaFaCoS download verification to SHA-256.
cmake/Modules/Packages/PLUMED.cmake Switch PLUMED download verification to SHA-256 (both code paths).
cmake/Modules/Packages/ML-PACE.cmake Switch PACE library tarball verification and fallback download hash to SHA-256.
cmake/Modules/Packages/ML-HDNNP.cmake Switch n2p2 download verification to SHA-256.
cmake/Modules/Packages/MDI.cmake Switch MDI download verification to SHA-256.
cmake/Modules/Packages/MBX.cmake Switch MBX tarball verification to SHA-256.
cmake/Modules/Packages/MACHDYN.cmake Switch Eigen3 tarball verification to SHA-256.
cmake/Modules/Packages/KOKKOS.cmake Switch Kokkos tarball verification to SHA-256.
cmake/Modules/Packages/KIM.cmake Switch KIM-API tarball verification to SHA-256.
cmake/Modules/Packages/GPU.cmake Switch CUB tarball verification to SHA-256.
cmake/Modules/OpenCLLoader.cmake Switch OpenCL loader tarball verification to SHA-256 for ExternalCMakeProject().
cmake/Modules/MPI4WIN.cmake Switch MS-MPI tarball verification to SHA-256.
cmake/Modules/LAMMPSUtils.cmake Switch potential file checksum verification and download EXPECTED_HASH to SHA-256.
cmake/Modules/LAMMPSInterfacePlugin.cmake Switch MS-MPI tarball verification to SHA-256 for plugin builds.
cmake/Modules/ExternalCMakeProject.cmake Switch ExternalCMakeProject() cache download verification and fallback EXPECTED_HASH to SHA-256.
cmake/Modules/Documentation.cmake Switch MathJax tarball verification to SHA-256.
Comments suppressed due to low confidence (1)

cmake/Modules/Documentation.cmake:87

  • In the MathJax download fallback path, the archive name/path is inconsistent: on failure it downloads to ${CMAKE_BINARY_DIR}/libpace.tar.gz, and the "Using already downloaded archive" message also references libpace.tar.gz, while the primary download uses mathjax.tar.gz. This will either place the fallback tarball in the wrong filename or print misleading status; use mathjax.tar.gz consistently for both fallback download and status messaging.
        message(WARNING "Download from primary URL ${MATHJAX_URL} failed\nTrying fallback URL ${MATHJAX_FALLBACK}")
        file(DOWNLOAD ${MATHJAX_FALLBACK} ${CMAKE_BINARY_DIR}/libpace.tar.gz EXPECTED_HASH SHA256=${MATHJAX_SHA256} SHOW_PROGRESS)
      endif()
    else()
      message(STATUS "Using already downloaded archive ${CMAKE_BINARY_DIR}/libpace.tar.gz")
    endif()

You can also share your feedback on Copilot code review. Take the survey.

Comment thread doc/src/Build_extras.rst Outdated
Comment thread cmake/Modules/ExternalCMakeProject.cmake
Comment thread doc/src/Build_extras.rst Outdated
@akohlmey
akohlmey marked this pull request as ready for review March 10, 2026 16:09
@akohlmey
akohlmey merged commit 50ce71e into lammps:develop Mar 10, 2026
14 checks passed
@github-project-automation github-project-automation Bot moved this from Ready for Review or Merge to Done in LAMMPS Pull Requests Mar 10, 2026
@akohlmey
akohlmey deleted the replace-md5-with-sha256 branch March 10, 2026 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Development

Successfully merging this pull request may close these issues.

3 participants