Re: Checksum of release 2.23.0 does not seem to be correct

Fri, 01 Mar 2024 05:14:25 -0800 

Hi Piotr,

Thanks for the quick response.
And yes, everything is OK on your side.

I did indeed somehow manage to download the HTML file as the zip archive.
That explains why the checksum was wrong.

How embarrassing:-(

With kind regards
Piers


> Am 01.03.2024 um 13:55 schrieb Piotr P. Karwasz <piotr.karw...@gmail.com>:
> 
> Hi Piers,
> 
> On Fri, 1 Mar 2024 at 13:33, Piers Uso Walter <piers.wal...@ilink.de> wrote:
>> I downloaded log4j 2.23.0 from 
>> https://logging.apache.org/log4j/2.x/download.html
>> Specifically I downloaded 
>> https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip
>> 
>> The checksum file 
>> https://www.apache.org/dist/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip.sha512
>>  contains a different checksum from what I get when I run shasum on the 
>> downloaded zip file:
>> 
>>> shasum -a 512 apache-log4j-2.23.0-bin.zip
>> 204d5b860a4169232e7ac7b41648a4167a8d11afc76e3457dd463bf28c3c0ca4d10c07e0970bc30a4d061c3e5dc869b1ac367a563eacd592d7bfff192e15852d
>>   apache-log4j-2.23.0-bin.zip
>>> cat apache-log4j-2.23.0-bin.zip.sha512  
>>> 4668362f8c339b48e0a82bce4031d981e930fa4317fca8c94ad51528f6f8680563e6bde04372fcfbb40c31b646a8309ccd2fc3d1eff68cccfd328e96472e6f31
>>>   apache-log4j-2.23.0-bin.zip
>> 
>> The signature of the zip file checks out OK, but I’m hesitant to use the zip 
>> file due to the checksum error.
> 
> I can confirm that the checksum in the `*.sha512` file is the correct one.
> 
> Remark that 
> `https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip`
> points to an HTML file that selects the Apache mirror closest to you.
> Maybe that is what you downloaded?
> Any chance you remember which mirror did you use?
> 
> Anyway, try using
> `https://dlcdn.apache.org/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip`
> and see if the problem repeats itself.
> 
> PS: Each release is also PGP signed with one of the keys from
> https://www.apache.org/dist/logging/KEYS, usually the one associated
> to priv...@logging.apache.org. You should consider verifying the PGP
> signature instead of the checksum.
> 
> Piotr

Reply via email to