MacOS – I’ve created multiple DMG files from the same folder – checksum is different on each

apfsdisk-utilitydmgmacos

Quite some time ago I've noticed that even if I create DMG files from the same directory, with same files and etc, the results are always different. Not only their size is ~15 bytes shorter/longer from one another, but their SHA checksums (and their contents, when being viewed from the HEX editor) differ drastically. Just out of curiosity, I've created 5 compressed unencrypted DMG files from the same folder containing nothing but a single text file. The results are:

0.dmg | size – 26 204 bytes, checksum – 5ba9ba0ee4d8ec5ba4718f1b491baf31c2c4e642
1.dmg | size – 26 221 bytes, checksum – a86d76f6c07ee5a81c0aefb31b6fd40ef787ebd5
2.dmg | size – 26 235 bytes, checksum – a31f4cf29e4e2858b7ac63c82574499200d81108
3.dmg | size – 26 209 bytes, checksum – f3c19414279b6d6b94b90341453906e4a69e28dd
4.dmg | size – 26 217 bytes, checksum – 9603c0334125762fc7908343e3ee400e038fe779

I've been browsing the internet hoping to find anything about the "data randomizer in APFS", but… obviously couldn't find a single thing, and in addition, not a lot of people actually knew about this "feature". Is there any info about it?

I'm running macOS 10.12.6, the DMG files were created using Disk Utility, but I get the same results with hdiutil.

Best Answer

Copies of an existing dmg will be identical but separately created dmg files will not.

Effectively Guaranteed to Differ

The Apple Disk Image .dmg format effectively guarantees that no two disk images will be bit for bit identical. Equality between disk images containing the same contents is not a practical requirement of the format.

UUID within the `0x6B6F6C79` / `koly` Block

Within the dmg file format is the koly structure. This structure includes a SegmentID of type uuid_t. This is a 128 bit Universally Unique Identifier (UUID). The SegmentID identifier alone will ensure that every dmg file differs by more than one bit.

Using HFSleuth on the iTunes 11.0 disk image shows the embedded UUID:

HFSleuth> ver
Verbose output is on
HFSleuth> fs iTunes11.dmg
KOLY header found at 200363895:
    UDIF version 4, Header Size: 512
    Flags:1
    Rsrc fork: None
    Data fork: from 0, spanning 200307220 bytes
    XML plist: from 200307220, spanning 56675 bytes (to 200363895)
    Segment #: 1, Count: 1
    Segment UUID: 626f726e-7743259b-6086eb93-4b42fb65
    Running Data fork offset 0
    Sectors: 1022244

In the example above, the line Segment UUID: 626f726e-7743259b-6086eb93-4b42fb65 is a universally unique identifier embedded in the disk image.

One Bit Differences and Hash Functions

A difference in one bit should result in a 50% or more change in a cryptographic hash function output, such as SHA-2.

The use of a UUID within the structure is not to ensure every disk image is unique but to ease segment identification within the disk image. That a UUID provides uniqueness properties beyond the scope of the disk image is a by-product of the UUID's use.

My setup

First of all, this is my test setup:

OS X 10.8.2 (sorry, no 10.7.5 around).
FreeNAS (FreeBSD 8.2-RELEASE-p1)

(The OP's version is FreeBSD 8.2-RELEASE-p7 - I couldn't find the same version.)
A NAS filesystem in /mnt/raid:
A user named netboot:
An AFP filesystem (/mnt/raid/netboot) exported as netboot:

(Note that it is configured read-only).
An NFS filesystem (same path as AFP filesystem, to match the OP's configuration: /mnt/raid/netboot):

AFP works, NFS doesn't

I mounted the AFP read-only filesystem as user netboot using the Finder with ⌘K:

enter image description here

and mounted a DMG image file without any problems:

$ sudo rm /private/var/netboot/Library-Shadow
$ sudo /usr/bin/hdiutil attach /Volumes/netboot/p7zip-9.04-0.i386.dmg -notremovable -shadow /private/var/netboot/Library-Shadow -owners on -noverify -noautofsck -nobrowse
Password:
/dev/disk3              Apple_partition_scheme          
/dev/disk3s1            Apple_partition_map             
/dev/disk3s2            Apple_HFS                       /Volumes/p7zip.pkg

Then I unmounted it and mounted the read-only NFS filesystem (I also used ⌘K) and couldn't mount the DMG image file.

I think the problem is logged here:

CBSDBackingStore::setPermission: opening /Volumes/netboot/Lion.nbi/Library.dmg
CBSDBackingStore::OpenLockFriendly: mapping flags 0x00000000 -> 0x00000014 (locks are MANDATORY)
CBSDBackingStore:OpenLockFriendly: could not open with lock 30

Error 30 means (see man 2 intro):

30 EROFS Read-only file system. An attempt was made to modify a file or directory was made on a file system that was read-only at the time.

No surprise here, it is indeed a read-only filesystem, but... when mounted over AFP it works, why?

Because Apple's NFS implementation has some problems with locking. As stated in this post at gluster.org:

OS X does a phenominal amount of file locking (some would say, needlessly so) and has always been really sensitive to the configuration of locking on the NFS servers. So much so that if you randomly pick an NFS server in a large enterprise, true success is pretty unlikely.

In my setup, the NFS server (that is, the FreeNAS VM) was suddenly irresponsive (from my Mac's /var/log/system.log):

Mar 15 15:35:04 avallone.local rpc.lockd[8119]: Lockd got unexpected signal 20
Mar 15 15:35:04 avallone com.apple.launchd[1] (com.apple.lockd[8119]): Exited with code: 1
Mar 15 15:35:04 avallone com.apple.launchd[1] (com.apple.lockd): Throttling respawn: Will start in 10 seconds
(...)
Mar 15 15:35:07 avallone com.apple.launchd[1] (com.apple.statd[8121]): Exited with code: 1
Mar 15 15:35:07 avallone com.apple.launchd[1] (com.apple.statd): Throttling respawn: Will start in 10 seconds
Mar 15 15:35:13 avallone kernel[0]: nfs server 172.16.54.186:/mnt/raid/netboot: lockd not responding
Mar 15 15:35:13 avallone.local KernelEventAgent[72]: tid 00000000 received event(s) VQ_NOTRESP (1)
Mar 15 15:35:13 avallone.local KernelEventAgent[72]: tid 00000000 type 'nfs', mounted on '/Volumes/netboot', from '172.16.54.186:/mnt/raid/netboot', not responding
(...)
Mar 15 15:35:34 avallone.local KernelEventAgent[72]: tid 00000000 unmounting 1 filesystems

The output of sudo /usr/bin/hdiutil attach -debug /Volumes/netboot/p7zip-9.04-0.i386.dmg -notremovable -shadow /private/var/netboot/Library-Shadow -owners on -noverify -noautofsck -nobrowse was:

CBSDBackingStore::setPermission: opening /Volumes/netboot/p7zip-9.04-0.i386.dmg
CBSDBackingStore::OpenLockFriendly: mapping flags 0x00000000 -> 0x00000014 (locks are MANDATORY)
CBSDBackingStore:OpenLockFriendly: could not open with lock 5

Error 5 means (again from man 2 intro):

5 EIO Input/output error. Some physical input or output error occurred. This error will not be reported until a subsequent operation on the same file descriptor and may be lost (over written) by any subsequent errors.

which isn't suprising at all, the NFS filesystem was gone.

Workaround

A workaround (tested on OS X 10.8) is to mount NFS with options nolocks,locallocks. As explained in the post at gluster.org already mentioned:

Fortunately, there is a fix: just turn off network locking. You can do it by adding the "nolocks,locallocks" options in the advanced options field of the Disk Utility NFS mounting UI, but this is painful if you do a lot of them, and doesn't help at all with /net. You can edit /etc/auto_master to add these options to the /net entry, but it doesn't affect other mounts - however I do recommend deleting the hidefromfinder option in auto_master. If you want to fix every automount, edit /etc/autofs.conf and search for the line that starts with AUTOMOUNTD_MNTOPTS=. These options get applied on every mount. Add nolocks,locallocks and your world will be faster and happier after you reboot.

I manually mounted 172.16.54.186:/mnt/raid/netboot and it worked flawlessly:

$ sudo rm /private/var/netboot/Library-Shadow
$ sudo mount -o nolocks,locallocks,ro 172.16.54.186:/mnt/raid/netboot /tmp/mnt
$ sudo /usr/bin/hdiutil attach /tmp/mnt/p7zip-9.04-0.i386.dmg -notremovable -shadow /private/var/netboot/Library-Shadow -owners on -noverify -noautofsck -nobrowse
/dev/disk6              Apple_partition_scheme          
/dev/disk6s1            Apple_partition_map             
/dev/disk6s2            Apple_HFS                       /Volumes/p7zip.pkg

I also edited /etc/auto_master like this:

+auto_master # Use directory service
#/net             -hosts    -nobrowse,hidefromfinder,nosuid
/net              -hosts    -nosuid,nolocks,locallocks
/home             auto_home -nobrowse,hidefromfinder
/Network/Servers  -fstab
/-                -static

stopped and started automountd and autofsd:

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.automountd.plist 
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.autofsd.plist 
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.autofsd.plist 
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.automountd.plist

and worked like a charm:

$ cd /net/172.16.54.186/mnt/raid/netboot
$ ls 
Network Trash Folder  Temporary Items  p7zip-9.04-0.i386.dmg
$ sudo rm /private/var/netboot/Library-Shadow
$ sudo /usr/bin/hdiutil attach p7zip-9.04-0.i386.dmg -notremovable -shadow /private/var/netboot/Library-Shadow -owners on -noverify -noautofsck -nobrowse
/dev/disk7              Apple_partition_scheme          
/dev/disk7s1            Apple_partition_map             
/dev/disk7s2            Apple_HFS                       /Volumes/p7zip.pkg

Best Answer

Effectively Guaranteed to Differ

UUID within the 0x6B6F6C79 / koly Block

One Bit Differences and Hash Functions

Related Solutions

MacOS – What are the afconvert settings for the iTunes Plus AAC encoding setting

MacOS – Why can’t I open DMG files which reside on a read-only NFS filesystem

My setup

AFP works, NFS doesn't

Workaround

Related Question

UUID within the `0x6B6F6C79` / `koly` Block