[R-SIG-Mac] SHA-1 Hash for R-3.5.0.pkg Incorrect
peter dalgaard
pdalgd at gmail.com
Thu Apr 26 01:15:34 CEST 2018
For whatever it is worth, I am using shasum -a 256 for the source release announcements.
-pd
> On 25 Apr 2018, at 22:37 , Marc Schwartz <marc_schwartz at me.com> wrote:
>
> Hi Simon,
>
> Thanks for the explanation.
>
> It did not occur to me that SHA-0 was being used, since it was withdrawn as a standard circa early 90's, after significant flaws were identified.
>
> Apple (and others) either have or are moving away from SHA-1 to SHA-2, at least for TLS/PKI security:
>
> https://support.apple.com/en-us/HT207459 <https://support.apple.com/en-us/HT207459>
>
> recognizing the differences between session specific TLS/PKI trust uses and longer term file integrity checking. I know Linus is more "relaxed" regarding SHA-1 and the implications for Git, or at least was last year, albeit indicating a path away from it in time.
>
> I guess the question boils down to, if we are going to provide hashes of the files under the premise that it should offer a high level of comfort to useRs that the file has not been modified/replaced since generation, presuming that the published hash value itself was not altered, I would put forth for further discussion, moving to SHA-2 and away from both MD5 and SHA-1 (certainly moving away from SHA-0), depending upon a more broad assessment of the implications of doing so.
>
> Thanks!
>
> Marc
>
>
>> On Apr 25, 2018, at 2:54 PM, Simon Urbanek <simon.urbanek at R-project.org> wrote:
>>
>> Marc,
>>
>> thanks, the issue is:
>>
>> hagal:R-3.5.0$ openssl sha R-3.5.0-el-capitan-signed.pkg
>> SHA(R-3.5.0-el-capitan-signed.pkg)= 9f5f3365afee54d3fe3148a60c1405955916f076
>>
>> hagal:R-3.5.0$ openssl sha1 R-3.5.0-el-capitan-signed.pkg
>> SHA1(R-3.5.0-el-capitan-signed.pkg)= 6e90d38892bb366630ae30c223a898e8af84dff7
>>
>> so either we change the label to SHA (or SHA-0?) or change the checksum. In the root we actually provide both, even if that may or may not be relevant. For now I did the latter in the index.html.
>>
>> Cheers,
>> Simon
>>
>>
>>
>>
>>
>>> On Apr 25, 2018, at 7:57 AM, Marc Schwartz <marc_schwartz at me.com> wrote:
>>>
>>> Hi All,
>>>
>>> Last month:
>>>
>>> https://stat.ethz.ch/pipermail/r-sig-mac/2018-March/012691.html
>>>
>>> there was a report that the SHA-1 hash of the R-3.4.4.pkg, as listed on CRAN, was not correct, even though the MD5 hash and the digital signature appeared to be correct.
>>>
>>> The same phenomenon is the case with R-3.5.0.pkg.
>>>
>>> The MD5 hash on CRAN is:
>>>
>>> MD5-hash: 414029c9c9f706d3d04baa887ccffbc4
>>>
>>> and I get:
>>>
>>> md5 R-3.5.0.pkg
>>> MD5 (R-3.5.0.pkg) = 414029c9c9f706d3d04baa887ccffbc4
>>>
>>> from the CLI on my Mac.
>>>
>>> However, the SHA-1 hash on CRAN is:
>>>
>>> SHA-hash: 9f5f3365afee54d3fe3148a60c1405955916f076
>>>
>>> and I get:
>>>
>>> shasum R-3.5.0.pkg
>>> 6e90d38892bb366630ae30c223a898e8af84dff7 R-3.5.0.pkg
>>>
>>> from the CLI on my Mac.
>>>
>>> It would seem that there is a lingering issue with the generation of the SHA-1 hash value on CRAN.
>>>
>>> Thanks,
>>>
>>> Marc Schwartz
>>>
>>> _______________________________________________
>>> R-SIG-Mac mailing list
>>> R-SIG-Mac at r-project.org
>>> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
>>
>
>
> [[alternative HTML version deleted]]
>
> _______________________________________________
> R-SIG-Mac mailing list
> R-SIG-Mac at r-project.org
> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
--
Peter Dalgaard, Professor,
Center for Statistics, Copenhagen Business School
Solbjerg Plads 3, 2000 Frederiksberg, Denmark
Phone: (+45)38153501
Office: A 4.23
Email: pd.mes at cbs.dk Priv: PDalgd at gmail.com
More information about the R-SIG-Mac
mailing list