Hi Piers, On Fri, 1 Mar 2024 at 13:33, Piers Uso Walter <piers.wal...@ilink.de> wrote: > I downloaded log4j 2.23.0 from > https://logging.apache.org/log4j/2.x/download.html > Specifically I downloaded > https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip > > The checksum file > https://www.apache.org/dist/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip.sha512 > contains a different checksum from what I get when I run shasum on the > downloaded zip file: > > > shasum -a 512 apache-log4j-2.23.0-bin.zip > 204d5b860a4169232e7ac7b41648a4167a8d11afc76e3457dd463bf28c3c0ca4d10c07e0970bc30a4d061c3e5dc869b1ac367a563eacd592d7bfff192e15852d > apache-log4j-2.23.0-bin.zip > > cat apache-log4j-2.23.0-bin.zip.sha512 > > 4668362f8c339b48e0a82bce4031d981e930fa4317fca8c94ad51528f6f8680563e6bde04372fcfbb40c31b646a8309ccd2fc3d1eff68cccfd328e96472e6f31 > > apache-log4j-2.23.0-bin.zip > > The signature of the zip file checks out OK, but I’m hesitant to use the zip > file due to the checksum error.
I can confirm that the checksum in the `*.sha512` file is the correct one. Remark that `https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip` points to an HTML file that selects the Apache mirror closest to you. Maybe that is what you downloaded? Any chance you remember which mirror did you use? Anyway, try using `https://dlcdn.apache.org/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip` and see if the problem repeats itself. PS: Each release is also PGP signed with one of the keys from https://www.apache.org/dist/logging/KEYS, usually the one associated to priv...@logging.apache.org. You should consider verifying the PGP signature instead of the checksum. Piotr
