[R-SIG-Mac] Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN
maechler at stat.math.ethz.ch
Mon Mar 26 17:24:13 CEST 2018
>>>>> Joshua Saxby <........>
>>>>> on Mon, 26 Mar 2018 15:18:25 +0100 writes:
> Dear Sir/Madam,
> While downloading the latest version of /R for Mac OS X/, I noticed that
> the SHA-1 checksum for the file as advertised on the page at
> http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
> quite certain that the checksum as displayed on the page is incorrect,
> because the MD5 hash on the page matches that which I can reproduce
> locally, and the Apple Developer certificates also validate successfully
> when pkgutil --check-signature R-3.4.4.pkg is run.
> To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
> matches this length) as displayed on your page is:
> The SHA-1 hash I get when I hash the file locally (on macOS with the
> command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9
> I have encountered this scenario across two of the mirror sites, so my
> assumption would be that the wrong hash is displayed.
Thank you very much, Joshua!
The master site is (with 'https', not just 'http' !)
and that does show the same hash (of course: the mirrors do not
recompute the hashes in the *text* of their pages).
So this must be an error somewhere.
I'm CC'ing the R-SIG-Mac mailing list,
where the R-on-Mac experts should be listening.
Can mac users confirm they do not get the indicated hash but a
NOTE: The Webmasters of www.r-project.org cannot really
change contents of cran.r-project.org and its mirrors.
So we have to refer this to the CRAN maintainers ourselves.
For the webmasters of R-project.org,
> Best Regards,
More information about the R-SIG-Mac