[R-SIG-Mac] Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN

Marc Schwartz marc_schwartz at me.com
Mon Mar 26 17:53:13 CEST 2018

> On Mar 26, 2018, at 11:24 AM, Martin Maechler <maechler at stat.math.ethz.ch> wrote:
>>>>>> Joshua Saxby <........>
>>>>>>    on Mon, 26 Mar 2018 15:18:25 +0100 writes:
>> Dear Sir/Madam,
>> While downloading the latest version of /R for Mac OS X/, I noticed that
>> the SHA-1 checksum for the file as advertised on the page at
>> http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
>> quite certain that the checksum as displayed on the page is incorrect,
>> because the MD5 hash on the page matches that which I can reproduce
>> locally, and the Apple Developer certificates also validate successfully
>> when pkgutil --check-signature R-3.4.4.pkg is run.
>> To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
>> matches this length) as displayed on your page is:
>> 566f8c7a85e9343d056c1b143ebf5ca6c101dec7
>> The SHA-1 hash I get when I hash the file locally (on macOS with the
>> command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9
>> I have encountered this scenario across two of the mirror sites, so my
>> assumption would be that the wrong hash is displayed.
> Thank you very much, Joshua!
> The master site is (with 'https', not just 'http' !)
>   https://cran.r-project.org/bin/macosx/
> and that does show the same hash (of course: the mirrors do not
> recompute the hashes in the *text* of their pages).
> So this must be an error somewhere.
> I'm CC'ing the  R-SIG-Mac  mailing list,
> where the R-on-Mac experts should be listening.
> Can  mac users confirm they do not get the indicated hash but a
> different one?

Here is what I am getting:

md5 R-3.4.4.pkg  
MD5 (R-3.4.4.pkg) = 741276b7c44e617a9d75d080db953f62

The above matches the value on CRAN.

shasum R-3.4.4.pkg
5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9  R-3.4.4.pkg

The above, as Joshua noted, does not match the value on CRAN. I also verified the same hash using an online generator.

pkgutil --check-signature R-3.4.4.pkg
Package "R-3.4.4.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Simon Urbanek (VZLD955F6P)
       SHA1 fingerprint: 7B 6B 81 12 E6 26 8C 16 F8 D4 0F 94 E4 3E 62 69 2E 92 22 81
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

The above does appear to be correct.

A logical guess at this point, presuming that the CRAN binary has not been compromised, is that the SHA1 hash on CRAN is not correct and may perhaps be for an earlier PKG file version, or perhaps one of the nightly devel versions that Simon generates. I went back to each prior version to 3.4.0 and could not match the value on CRAN, so perhaps it may be for one of the nightly builds.


Marc Schwartz

> -------
> NOTE: The  Webmasters of   www.r-project.org  cannot really
>      change contents of  cran.r-project.org  and its mirrors.
> So we have to refer this to the CRAN maintainers ourselves.
> For the webmasters of R-project.org,
> Martin Maechler
> ETH Zurich
>> Best Regards,
>> /J.S./
> _______________________________________________
> R-SIG-Mac mailing list
> R-SIG-Mac at r-project.org
> https://stat.ethz.ch/mailman/listinfo/r-sig-mac

	[[alternative HTML version deleted]]

More information about the R-SIG-Mac mailing list