Checksum of release 2.23.0 does not seem to be correct
Hi, I downloaded log4j 2.23.0 from https://logging.apache.org/log4j/2.x/download.html Specifically I downloaded https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip The checksum file https://www.apache.org/dist/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip.sha512 contains a different checksum from what I get when I run shasum on the downloaded zip file: > shasum -a 512 apache-log4j-2.23.0-bin.zip 204d5b860a4169232e7ac7b41648a4167a8d11afc76e3457dd463bf28c3c0ca4d10c07e0970bc30a4d061c3e5dc869b1ac367a563eacd592d7bfff192e15852d apache-log4j-2.23.0-bin.zip > cat apache-log4j-2.23.0-bin.zip.sha512 > 4668362f8c339b48e0a82bce4031d981e930fa4317fca8c94ad51528f6f8680563e6bde04372fcfbb40c31b646a8309ccd2fc3d1eff68cccfd328e96472e6f31 > apache-log4j-2.23.0-bin.zip The signature of the zip file checks out OK, but I’m hesitant to use the zip file due to the checksum error. Piers -- Piers Uso Walter ilink Kommunikationssysteme GmbH
Re: Checksum of release 2.23.0 does not seem to be correct
Hi Piers, On Fri, 1 Mar 2024 at 13:33, Piers Uso Walter wrote: > I downloaded log4j 2.23.0 from > https://logging.apache.org/log4j/2.x/download.html > Specifically I downloaded > https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip > > The checksum file > https://www.apache.org/dist/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip.sha512 > contains a different checksum from what I get when I run shasum on the > downloaded zip file: > > > shasum -a 512 apache-log4j-2.23.0-bin.zip > 204d5b860a4169232e7ac7b41648a4167a8d11afc76e3457dd463bf28c3c0ca4d10c07e0970bc30a4d061c3e5dc869b1ac367a563eacd592d7bfff192e15852d > apache-log4j-2.23.0-bin.zip > > cat apache-log4j-2.23.0-bin.zip.sha512 > > 4668362f8c339b48e0a82bce4031d981e930fa4317fca8c94ad51528f6f8680563e6bde04372fcfbb40c31b646a8309ccd2fc3d1eff68cccfd328e96472e6f31 > > apache-log4j-2.23.0-bin.zip > > The signature of the zip file checks out OK, but I’m hesitant to use the zip > file due to the checksum error. I can confirm that the checksum in the `*.sha512` file is the correct one. Remark that `https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip` points to an HTML file that selects the Apache mirror closest to you. Maybe that is what you downloaded? Any chance you remember which mirror did you use? Anyway, try using `https://dlcdn.apache.org/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip` and see if the problem repeats itself. PS: Each release is also PGP signed with one of the keys from https://www.apache.org/dist/logging/KEYS, usually the one associated to priv...@logging.apache.org. You should consider verifying the PGP signature instead of the checksum. Piotr
Re: Checksum of release 2.23.0 does not seem to be correct
Hi Piotr, Thanks for the quick response. And yes, everything is OK on your side. I did indeed somehow manage to download the HTML file as the zip archive. That explains why the checksum was wrong. How embarrassing:-( With kind regards Piers > Am 01.03.2024 um 13:55 schrieb Piotr P. Karwasz : > > Hi Piers, > > On Fri, 1 Mar 2024 at 13:33, Piers Uso Walter wrote: >> I downloaded log4j 2.23.0 from >> https://logging.apache.org/log4j/2.x/download.html >> Specifically I downloaded >> https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip >> >> The checksum file >> https://www.apache.org/dist/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip.sha512 >> contains a different checksum from what I get when I run shasum on the >> downloaded zip file: >> >>> shasum -a 512 apache-log4j-2.23.0-bin.zip >> 204d5b860a4169232e7ac7b41648a4167a8d11afc76e3457dd463bf28c3c0ca4d10c07e0970bc30a4d061c3e5dc869b1ac367a563eacd592d7bfff192e15852d >> apache-log4j-2.23.0-bin.zip >>> cat apache-log4j-2.23.0-bin.zip.sha512 >>> 4668362f8c339b48e0a82bce4031d981e930fa4317fca8c94ad51528f6f8680563e6bde04372fcfbb40c31b646a8309ccd2fc3d1eff68cccfd328e96472e6f31 >>> apache-log4j-2.23.0-bin.zip >> >> The signature of the zip file checks out OK, but I’m hesitant to use the zip >> file due to the checksum error. > > I can confirm that the checksum in the `*.sha512` file is the correct one. > > Remark that > `https://www.apache.org/dyn/closer.lua/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip` > points to an HTML file that selects the Apache mirror closest to you. > Maybe that is what you downloaded? > Any chance you remember which mirror did you use? > > Anyway, try using > `https://dlcdn.apache.org/logging/log4j/2.23.0/apache-log4j-2.23.0-bin.zip` > and see if the problem repeats itself. > > PS: Each release is also PGP signed with one of the keys from > https://www.apache.org/dist/logging/KEYS, usually the one associated > to priv...@logging.apache.org. You should consider verifying the PGP > signature instead of the checksum. > > Piotr
Re: Checksum of release 2.23.0 does not seem to be correct
Hi Piers, On Fri, 1 Mar 2024 at 14:14, Piers Uso Walter wrote: > Thanks for the quick response. > And yes, everything is OK on your side. > > I did indeed somehow manage to download the HTML file as the zip archive. > That explains why the checksum was wrong. > > How embarrassing:-( I did the exact same thing, that is why I remarked it in the answer. Maybe we should replace the links on the web page? There are actually people (like me and probably you) that don't download everything through the browser. What do you think? Piotr
Re: Checksum of release 2.23.0 does not seem to be correct
> On Mar 1, 2024, at 6:55 AM, Piotr P. Karwasz wrote: > > Hi Piers, > > On Fri, 1 Mar 2024 at 14:14, Piers Uso Walter wrote: >> Thanks for the quick response. >> And yes, everything is OK on your side. >> >> I did indeed somehow manage to download the HTML file as the zip archive. >> That explains why the checksum was wrong. >> >> How embarrassing:-( > > I did the exact same thing, that is why I remarked it in the answer. > > Maybe we should replace the links on the web page? There are actually > people (like me and probably you) that don't download everything > through the browser. > What do you think? Replace them with what? We are required to use the chooser app so that the user downloads from an archive, not the main ASF repo. Ralph
Re: Checksum of release 2.23.0 does not seem to be correct
Hi Ralph, On Fri, 1 Mar 2024 at 15:33, Ralph Goers wrote: > > Maybe we should replace the links on the web page? There are actually > > people (like me and probably you) that don't download everything > > through the browser. > > What do you think? > > Replace them with what? We are required to use the chooser app so that the > user downloads from an archive, not the main ASF repo. Isn't everything distributed through the CDN? I always get: https://dlcdn.apache.org/ from the script. Piotr