[R-SIG-Mac] Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN
Martin Maechler
maechler at stat.math.ethz.ch
Mon Mar 26 17:24:13 CEST 2018
>>>>> Joshua Saxby <........>
>>>>> on Mon, 26 Mar 2018 15:18:25 +0100 writes:
> Dear Sir/Madam,
> While downloading the latest version of /R for Mac OS X/, I noticed that
> the SHA-1 checksum for the file as advertised on the page at
> http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
> quite certain that the checksum as displayed on the page is incorrect,
> because the MD5 hash on the page matches that which I can reproduce
> locally, and the Apple Developer certificates also validate successfully
> when pkgutil --check-signature R-3.4.4.pkg is run.
> To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
> matches this length) as displayed on your page is:
> 566f8c7a85e9343d056c1b143ebf5ca6c101dec7
> The SHA-1 hash I get when I hash the file locally (on macOS with the
> command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9
> I have encountered this scenario across two of the mirror sites, so my
> assumption would be that the wrong hash is displayed.
Thank you very much, Joshua!
The master site is (with 'https', not just 'http' !)
https://cran.r-project.org/bin/macosx/
and that does show the same hash (of course: the mirrors do not
recompute the hashes in the *text* of their pages).
So this must be an error somewhere.
I'm CC'ing the R-SIG-Mac mailing list,
where the R-on-Mac experts should be listening.
Can mac users confirm they do not get the indicated hash but a
different one?
-------
NOTE: The Webmasters of www.r-project.org cannot really
change contents of cran.r-project.org and its mirrors.
So we have to refer this to the CRAN maintainers ourselves.
For the webmasters of R-project.org,
Martin Maechler
ETH Zurich
> Best Regards,
> /J.S./
More information about the R-SIG-Mac
mailing list