You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Bill Munro <bi...@hotmail.com> on 2017/10/23 13:40:07 UTC

Checksum fail for apache-tomcat-8.5.23-windows-x86.zip

Hi,


I downloaded the file from all mirror sites (including backups), but I get a different checksum than the one on the apache site. I am using fsum sha1.  Are the checksums on the site incorrect, or is fsum wrong?



Bill

Re: Checksum fail for apache-tomcat-8.5.23-windows-x86.zip

Posted by Konstantin Kolinko <kn...@gmail.com>.

2017-10-23 16:40 GMT+03:00 Bill Munro <bi...@hotmail.com>:
> Hi,
>
>
> I downloaded the file from all mirror sites (including backups), but I get a different checksum than the one on the apache site. I am using fsum sha1.  Are the checksums on the site incorrect, or is fsum wrong?

Maybe you are comparing with checksum of a different file?  E.g.
windows-x86.zip vs windows-x64.zip vs .zip ?


The correct sha1:
5992ca5bf02a6ae6d901eb22e7d3309061b26e42 *apache-tomcat-8.5.23-windows-x86.zip

sha256:
acca2ce6217da70beb8f6b0d58054f2133276bd7328ff51ca51ae0125c1cf586
*apache-tomcat-8.5.23-windows-x86.zip

The value of sha256 can be used to search VirusTotal:
https://www.virustotal.com/file/acca2ce6217da70beb8f6b0d58054f2133276bd7328ff51ca51ae0125c1cf586/analysis/
First submission 2017-10-02 08:36:18 UTC


Officially, the recommended way to verify a file is to check its PGP signature.
https://www.apache.org/info/verification.html

Verifying the signature, using GPG (using the one included with Git
for Windows):
(omitting some unimportant messages)

$ gpg --keyserver pgpkeys.mit.edu --recv-key 33C60243
gpg: requesting key 33C60243 from hkp server pgpkeys.mit.edu
gpg: key 33C60243: public key "Mark E D Thomas <ma...@apache.org>" imported
gpg: key 33C60243: public key "Mark E D Thomas <ma...@apache.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 1)

$ gpg --fingerprint 33C60243
pub   1024R/33C60243 2014-06-16 [revoked: 2016-08-16]
      Key fingerprint = B65C A985 6C76 39CD 9D17  7D0E 5385 81D4 33C6 0243
uid                  Mark E D Thomas <ma...@apache.org>

pub   1024D/33C60243 2004-09-12
      Key fingerprint = DCFD 35E0 BF8C A734 4752  DE8B 6FB2 1E89 33C6 0243
uid                  Mark E D Thomas <ma...@apache.org>
uid                  Mark E D Thomas <me...@virgin.net>
uid                  Mark E D Thomas <ma...@springsource.com>
sub   2048g/0BECE548 2004-09-12

$  gpg --verify apache-tomcat-8.5.23-windows-x86.zip.asc
apache-tomcat-8.5.23-windows-x86.zip
gpg: Signature made 28 сен 2017 г. 13:31:21 RTZ using DSA key ID 33C60243
gpg: Good signature from "Mark E D Thomas <ma...@apache.org>"
gpg:                 aka "Mark E D Thomas <me...@virgin.net>"
gpg:                 aka "Mark E D Thomas <ma...@springsource.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCFD 35E0 BF8C A734 4752  DE8B 6FB2 1E89 33C6 0243

The footprint is the same as of this key in
https://www.apache.org/dist/tomcat/tomcat-8/KEYS

For ages I used md5sum.exe and sha1sum.exe from GNU CoreUtils package
for Windows,
http://gnuwin32.sourceforge.net/
http://gnuwin32.sourceforge.net/packages/coreutils.htm

Nowadays I use the unix tools bundles with Git for Windows.


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org