Skip to content

Incorrect SHA-1 hash for R-3.4.4.pkg on CRAN

3 messages · Martin Maechler, Joshua Saxby, Marc Schwartz

Original
Martin Maechler
# 
> Dear Sir/Madam,
    > While downloading the latest version of /R for Mac OS X/, I noticed that
    > the SHA-1 checksum for the file as advertised on the page at
    > http://cran.us.r-project.org/bin/macosx/ appears to be incorrect. I am
    > quite certain that the checksum as displayed on the page is incorrect,
    > because the MD5 hash on the page matches that which I can reproduce
    > locally, and the Apple Developer certificates also validate successfully
    > when pkgutil --check-signature R-3.4.4.pkg is run.

    > To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
    > matches this length) as displayed on your page is:
    > 566f8c7a85e9343d056c1b143ebf5ca6c101dec7

    > The SHA-1 hash I get when I hash the file locally (on macOS with the
    > command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9

    > I have encountered this scenario across two of the mirror sites, so my
    > assumption would be that the wrong hash is displayed.

Thank you very much, Joshua!

The master site is (with 'https', not just 'http' !)
   https://cran.r-project.org/bin/macosx/

and that does show the same hash (of course: the mirrors do not
recompute the hashes in the *text* of their pages).

So this must be an error somewhere.

I'm CC'ing the  R-SIG-Mac  mailing list,
where the R-on-Mac experts should be listening.

Can  mac users confirm they do not get the indicated hash but a
different one?

-------

NOTE: The  Webmasters of   www.r-project.org  cannot really
      change contents of  cran.r-project.org  and its mirrors.

So we have to refer this to the CRAN maintainers ourselves.

For the webmasters of R-project.org,
Martin Maechler

ETH Zurich

    > Best Regards,
    > /J.S./
Joshua Saxby
# 
You're very welcome Martin!

    /Aha, glad to see your master site is HTTPS, not HTTP. I was under
    the false impression that the project's main site was only available
    under the latter (which did seem strange)./

Sorry if you weren't the best person to contact, I couldn't work out who
was the best to contact from the information on the page.

Best Regards,

/J.S./

------------------------------------------------------------------------
*My PGP Public Key Identity*

pub   4096R/*DDD75C27* 2016-11-17 [expires: 2018-10-06]
      Key fingerprint = *F9B1 BDAF 9A2A 7F9A 0712 DEEB 3B24 41F6 DDD7 5C27*
uid       [ultimate] Joshua Saxby (Decoded Ltd) josh at decoded.com <mailto:josh at decoded.com>
sub   4096R/8B35ECE4 2016-11-17 [expires: 2018-10-06]

------------------------------------------------------------------------
On 2018-03-26 16:24, Martin Maechler wrote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://stat.ethz.ch/pipermail/r-sig-mac/attachments/20180326/027dcc0a/attachment-0001.html>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://stat.ethz.ch/pipermail/r-sig-mac/attachments/20180326/027dcc0a/attachment-0001.sig>
Marc Schwartz
# 
Here is what I am getting:

md5 R-3.4.4.pkg  
MD5 (R-3.4.4.pkg) = 741276b7c44e617a9d75d080db953f62

The above matches the value on CRAN.


shasum R-3.4.4.pkg
5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9  R-3.4.4.pkg

The above, as Joshua noted, does not match the value on CRAN. I also verified the same hash using an online generator.


pkgutil --check-signature R-3.4.4.pkg
Package "R-3.4.4.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Simon Urbanek (VZLD955F6P)
       SHA1 fingerprint: 7B 6B 81 12 E6 26 8C 16 F8 D4 0F 94 E4 3E 62 69 2E 92 22 81
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60


The above does appear to be correct.

A logical guess at this point, presuming that the CRAN binary has not been compromised, is that the SHA1 hash on CRAN is not correct and may perhaps be for an earlier PKG file version, or perhaps one of the nightly devel versions that Simon generates. I went back to each prior version to 3.4.0 and could not match the value on CRAN, so perhaps it may be for one of the nightly builds.

Regards,

Marc Schwartz