Use SHA-256 checksums instead of MD5 for checking file integrity#4909
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR modernizes LAMMPS’ download/integrity verification by replacing MD5-based archive checks with SHA-256 across CMake build logic, related tooling, and associated documentation.
Changes:
- Replace MD5 checksum variables/usages with SHA-256 in CMake modules and tool/package download logic (
URL_HASH,EXPECTED_HASH, and localfile(SHA256 ...)checks). - Update external potential fetching to verify SHA-256 sums and update at least one package
potentials.txtentry accordingly. - Update build documentation to reference the new SHA-256 cache variables.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| unittest/force-styles/CMakeLists.txt | Switch libyaml integrity check from MD5 to SHA-256 for unit-test dependencies. |
| unittest/CMakeLists.txt | Switch googletest integrity check from MD5 to SHA-256. |
| tools/phonon/CMakeLists.txt | Switch spglib download verification to SHA-256. |
| tools/lammps-gui/CMakeLists.txt | Switch WHAM download verification to SHA-256. |
| src/MESONT/potentials.txt | Update potentials checksum metadata from MD5 to SHA-256. |
| src/Fetch.sh | Use sha256sum for potential file integrity verification. |
| examples/plugins/LAMMPSInterfaceCXX.cmake | Switch MS-MPI archive verification to SHA-256 for Windows cross compilation example. |
| doc/src/Build_extras.rst | Update MBX/ML-PACE docs to reference SHA-256 cache variable names. |
| cmake/Modules/Tools.cmake | Switch WHAM download verification to SHA-256 in CMake tooling. |
| cmake/Modules/Packages/VORONOI.cmake | Switch Voro++ download verification to SHA-256. |
| cmake/Modules/Packages/SCAFACOS.cmake | Switch ScaFaCoS download verification to SHA-256. |
| cmake/Modules/Packages/PLUMED.cmake | Switch PLUMED download verification to SHA-256 (both code paths). |
| cmake/Modules/Packages/ML-PACE.cmake | Switch PACE library tarball verification and fallback download hash to SHA-256. |
| cmake/Modules/Packages/ML-HDNNP.cmake | Switch n2p2 download verification to SHA-256. |
| cmake/Modules/Packages/MDI.cmake | Switch MDI download verification to SHA-256. |
| cmake/Modules/Packages/MBX.cmake | Switch MBX tarball verification to SHA-256. |
| cmake/Modules/Packages/MACHDYN.cmake | Switch Eigen3 tarball verification to SHA-256. |
| cmake/Modules/Packages/KOKKOS.cmake | Switch Kokkos tarball verification to SHA-256. |
| cmake/Modules/Packages/KIM.cmake | Switch KIM-API tarball verification to SHA-256. |
| cmake/Modules/Packages/GPU.cmake | Switch CUB tarball verification to SHA-256. |
| cmake/Modules/OpenCLLoader.cmake | Switch OpenCL loader tarball verification to SHA-256 for ExternalCMakeProject(). |
| cmake/Modules/MPI4WIN.cmake | Switch MS-MPI tarball verification to SHA-256. |
| cmake/Modules/LAMMPSUtils.cmake | Switch potential file checksum verification and download EXPECTED_HASH to SHA-256. |
| cmake/Modules/LAMMPSInterfacePlugin.cmake | Switch MS-MPI tarball verification to SHA-256 for plugin builds. |
| cmake/Modules/ExternalCMakeProject.cmake | Switch ExternalCMakeProject() cache download verification and fallback EXPECTED_HASH to SHA-256. |
| cmake/Modules/Documentation.cmake | Switch MathJax tarball verification to SHA-256. |
Comments suppressed due to low confidence (1)
cmake/Modules/Documentation.cmake:87
- In the MathJax download fallback path, the archive name/path is inconsistent: on failure it downloads to
${CMAKE_BINARY_DIR}/libpace.tar.gz, and the "Using already downloaded archive" message also referenceslibpace.tar.gz, while the primary download usesmathjax.tar.gz. This will either place the fallback tarball in the wrong filename or print misleading status; usemathjax.tar.gzconsistently for both fallback download and status messaging.
message(WARNING "Download from primary URL ${MATHJAX_URL} failed\nTrying fallback URL ${MATHJAX_FALLBACK}")
file(DOWNLOAD ${MATHJAX_FALLBACK} ${CMAKE_BINARY_DIR}/libpace.tar.gz EXPECTED_HASH SHA256=${MATHJAX_SHA256} SHOW_PROGRESS)
endif()
else()
message(STATUS "Using already downloaded archive ${CMAKE_BINARY_DIR}/libpace.tar.gz")
endif()
You can also share your feedback on Copilot code review. Take the survey.
akohlmey
marked this pull request as ready for review
March 10, 2026 16:09
rbberger
approved these changes
Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This replaces all MD5 checksums with SHA-256 checksums.
MD5 has been shown to be unreliable and our required minimum CMake version supports checking against SHA-256 checksums.
Related Issue(s)
See comment by GitHub Copilot on PR #4908
Author(s)
Axel Kohlmeyer, Temple U
Licensing
By submitting this pull request, I agree, that my contribution will be included in LAMMPS and redistributed under either the GNU General Public License version 2 (GPL v2) or the GNU Lesser General Public License version 2.1 (LGPL v2.1).
Artificial Intelligence (AI) Tools Usage
By submitting this pull request, I confirm that I did NOT use any AI tools to generate
all or parts of the code and modifications in this pull request.
Backward Compatibility
N/A
Implementation Notes
Since the traditional make build no longer supports packages that need to download libraries, we only need to check for compatibility with the CMake build system.
Post Submission Checklist