You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bill Munro <bi...@hotmail.com> on 2017/10/23 13:40:07 UTC
Checksum fail for apache-tomcat-8.5.23-windows-x86.zip
Hi,
I downloaded the file from all mirror sites (including backups), but I get a different checksum than the one on the apache site. I am using fsum sha1. Are the checksums on the site incorrect, or is fsum wrong?
Bill
Re: Checksum fail for apache-tomcat-8.5.23-windows-x86.zip
Posted by Konstantin Kolinko <kn...@gmail.com>.
2017-10-23 16:40 GMT+03:00 Bill Munro <bi...@hotmail.com>:
> Hi,
>
>
> I downloaded the file from all mirror sites (including backups), but I get a different checksum than the one on the apache site. I am using fsum sha1. Are the checksums on the site incorrect, or is fsum wrong?
Maybe you are comparing with checksum of a different file? E.g.
windows-x86.zip vs windows-x64.zip vs .zip ?
The correct sha1:
5992ca5bf02a6ae6d901eb22e7d3309061b26e42 *apache-tomcat-8.5.23-windows-x86.zip
sha256:
acca2ce6217da70beb8f6b0d58054f2133276bd7328ff51ca51ae0125c1cf586
*apache-tomcat-8.5.23-windows-x86.zip
The value of sha256 can be used to search VirusTotal:
https://www.virustotal.com/file/acca2ce6217da70beb8f6b0d58054f2133276bd7328ff51ca51ae0125c1cf586/analysis/
First submission 2017-10-02 08:36:18 UTC
Officially, the recommended way to verify a file is to check its PGP signature.
https://www.apache.org/info/verification.html
Verifying the signature, using GPG (using the one included with Git
for Windows):
(omitting some unimportant messages)
$ gpg --keyserver pgpkeys.mit.edu --recv-key 33C60243
gpg: requesting key 33C60243 from hkp server pgpkeys.mit.edu
gpg: key 33C60243: public key "Mark E D Thomas <ma...@apache.org>" imported
gpg: key 33C60243: public key "Mark E D Thomas <ma...@apache.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 1)
$ gpg --fingerprint 33C60243
pub 1024R/33C60243 2014-06-16 [revoked: 2016-08-16]
Key fingerprint = B65C A985 6C76 39CD 9D17 7D0E 5385 81D4 33C6 0243
uid Mark E D Thomas <ma...@apache.org>
pub 1024D/33C60243 2004-09-12
Key fingerprint = DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243
uid Mark E D Thomas <ma...@apache.org>
uid Mark E D Thomas <me...@virgin.net>
uid Mark E D Thomas <ma...@springsource.com>
sub 2048g/0BECE548 2004-09-12
$ gpg --verify apache-tomcat-8.5.23-windows-x86.zip.asc
apache-tomcat-8.5.23-windows-x86.zip
gpg: Signature made 28 сен 2017 г. 13:31:21 RTZ using DSA key ID 33C60243
gpg: Good signature from "Mark E D Thomas <ma...@apache.org>"
gpg: aka "Mark E D Thomas <me...@virgin.net>"
gpg: aka "Mark E D Thomas <ma...@springsource.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243
The footprint is the same as of this key in
https://www.apache.org/dist/tomcat/tomcat-8/KEYS
For ages I used md5sum.exe and sha1sum.exe from GNU CoreUtils package
for Windows,
http://gnuwin32.sourceforge.net/
http://gnuwin32.sourceforge.net/packages/coreutils.htm
Nowadays I use the unix tools bundles with Git for Windows.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org