[R-SIG-Mac] Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN

Martin Maechler maechler at stat.math.ethz.ch
Mon Mar 26 17:24:13 CEST 2018

>>>>> Joshua Saxby <........>
>>>>>     on Mon, 26 Mar 2018 15:18:25 +0100 writes:

    > Dear Sir/Madam,
    > While downloading the latest version of /R for Mac OS X/, I noticed that
    > the SHA-1 checksum for the file as advertised on the page at
    > http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
    > quite certain that the checksum as displayed on the page is incorrect,
    > because the MD5 hash on the page matches that which I can reproduce
    > locally, and the Apple Developer certificates also validate successfully
    > when pkgutil --check-signature R-3.4.4.pkg is run.

    > To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
    > matches this length) as displayed on your page is:
    > 566f8c7a85e9343d056c1b143ebf5ca6c101dec7

    > The SHA-1 hash I get when I hash the file locally (on macOS with the
    > command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9

    > I have encountered this scenario across two of the mirror sites, so my
    > assumption would be that the wrong hash is displayed.

Thank you very much, Joshua!

The master site is (with 'https', not just 'http' !)

and that does show the same hash (of course: the mirrors do not
recompute the hashes in the *text* of their pages).

So this must be an error somewhere.

I'm CC'ing the  R-SIG-Mac  mailing list,
where the R-on-Mac experts should be listening.

Can  mac users confirm they do not get the indicated hash but a
different one?


NOTE: The  Webmasters of   www.r-project.org  cannot really
      change contents of  cran.r-project.org  and its mirrors.

So we have to refer this to the CRAN maintainers ourselves.

For the webmasters of R-project.org,
Martin Maechler

ETH Zurich

    > Best Regards,
    > /J.S./

More information about the R-SIG-Mac mailing list