[R-SIG-Mac] Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN

Joshua Saxby josh at decoded.com
Mon Mar 26 17:37:07 CEST 2018

You're very welcome Martin!

    /Aha, glad to see your master site is HTTPS, not HTTP. I was under
    the false impression that the project's main site was only available
    under the latter (which did seem strange)./

Sorry if you weren't the best person to contact, I couldn't work out who
was the best to contact from the information on the page.

Best Regards,


*My PGP Public Key Identity*

pub   4096R/*DDD75C27* 2016-11-17 [expires: 2018-10-06]
      Key fingerprint = *F9B1 BDAF 9A2A 7F9A 0712 DEEB 3B24 41F6 DDD7 5C27*
uid       [ultimate] Joshua Saxby (Decoded Ltd) josh at decoded.com <mailto:josh at decoded.com>
sub   4096R/8B35ECE4 2016-11-17 [expires: 2018-10-06]

On 2018-03-26 16:24, Martin Maechler wrote:
>>>>>> Joshua Saxby <........>
>>>>>>     on Mon, 26 Mar 2018 15:18:25 +0100 writes:
>     > Dear Sir/Madam,
>     > While downloading the latest version of /R for Mac OS X/, I noticed that
>     > the SHA-1 checksum for the file as advertised on the page at
>     > http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
>     > quite certain that the checksum as displayed on the page is incorrect,
>     > because the MD5 hash on the page matches that which I can reproduce
>     > locally, and the Apple Developer certificates also validate successfully
>     > when pkgutil --check-signature R-3.4.4.pkg is run.
>     > To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
>     > matches this length) as displayed on your page is:
>     > 566f8c7a85e9343d056c1b143ebf5ca6c101dec7
>     > The SHA-1 hash I get when I hash the file locally (on macOS with the
>     > command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9
>     > I have encountered this scenario across two of the mirror sites, so my
>     > assumption would be that the wrong hash is displayed.
> Thank you very much, Joshua!
> The master site is (with 'https', not just 'http' !)
>    https://cran.r-project.org/bin/macosx/
> and that does show the same hash (of course: the mirrors do not
> recompute the hashes in the *text* of their pages).
> So this must be an error somewhere.
> I'm CC'ing the  R-SIG-Mac  mailing list,
> where the R-on-Mac experts should be listening.
> Can  mac users confirm they do not get the indicated hash but a
> different one?
> -------
> NOTE: The  Webmasters of   www.r-project.org  cannot really
>       change contents of  cran.r-project.org  and its mirrors.
> So we have to refer this to the CRAN maintainers ourselves.
> For the webmasters of R-project.org,
> Martin Maechler
> ETH Zurich
>     > Best Regards,
>     > /J.S./

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://stat.ethz.ch/pipermail/r-sig-mac/attachments/20180326/027dcc0a/attachment-0001.html>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://stat.ethz.ch/pipermail/r-sig-mac/attachments/20180326/027dcc0a/attachment-0001.sig>

More information about the R-SIG-Mac mailing list