[R-SIG-Mac] Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN

Martin Maechler maechler at stat.math.ethz.ch
Mon Mar 26 17:24:13 CEST 2018


>>>>> Joshua Saxby <........>
>>>>>     on Mon, 26 Mar 2018 15:18:25 +0100 writes:

    > Dear Sir/Madam,
    > While downloading the latest version of /R for Mac OS X/, I noticed that
    > the SHA-1 checksum for the file as advertised on the page at
    > http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
    > quite certain that the checksum as displayed on the page is incorrect,
    > because the MD5 hash on the page matches that which I can reproduce
    > locally, and the Apple Developer certificates also validate successfully
    > when pkgutil --check-signature R-3.4.4.pkg is run.

    > To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
    > matches this length) as displayed on your page is:
    > 566f8c7a85e9343d056c1b143ebf5ca6c101dec7

    > The SHA-1 hash I get when I hash the file locally (on macOS with the
    > command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9

    > I have encountered this scenario across two of the mirror sites, so my
    > assumption would be that the wrong hash is displayed.

Thank you very much, Joshua!

The master site is (with 'https', not just 'http' !)
   https://cran.r-project.org/bin/macosx/

and that does show the same hash (of course: the mirrors do not
recompute the hashes in the *text* of their pages).

So this must be an error somewhere.

I'm CC'ing the  R-SIG-Mac  mailing list,
where the R-on-Mac experts should be listening.

Can  mac users confirm they do not get the indicated hash but a
different one?

-------

NOTE: The  Webmasters of   www.r-project.org  cannot really
      change contents of  cran.r-project.org  and its mirrors.

So we have to refer this to the CRAN maintainers ourselves.

For the webmasters of R-project.org,
Martin Maechler

ETH Zurich

    > Best Regards,
    > /J.S./



More information about the R-SIG-Mac mailing list