87140 – sha256 checksum for LibreOffice 4.3.4 SDK does not match web value

Bug 87140 - sha256 checksum for LibreOffice 4.3.4 SDK does not match web value

Summary: sha256 checksum for LibreOffice 4.3.4 SDK does not match web value

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All macOS (All)

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-09 08:00 UTC by sancarlosastro
Modified:	2014-12-09 19:49 UTC (History)
CC List:	2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sancarlosastro 2014-12-09 08:00:39 UTC

the sha 256 sum shown on the "info" web page does not match the download, but the other checksums do match.  The pgp sig also is valid.

on this page: http://download.documentfoundation.org/libreoffice/stable/4.3.4/mac/x86/LibreOffice_4.3.4_MacOS_x86_sdk.dmg.mirrorlist

the sha256 sum is listed as: f4e9462cfad970ac121283d6a66ee999e14cd99cdbea4a295a3d9f80788cad21

My Mac reports that the checksum is:
9e466cdd41ab29e0845267f6e46ed7c6edb79b36b4bcb121edd0df55aee4e53c

But the sha1 and md5 checksums computed by my mac match what is shown on the above url.  On addition, the pgp signature also appears to be correct.

I am running Mac OSX 10.9.5 with openssl version OpenSSL 1.0.1j 15 Oct 2014

The download was retrieved from "the preferred mirror" with url: http://download.documentfoundation.org/libreoffice/stable/4.3.4/mac/x86/LibreOffice_4.3.4_MacOS_x86_sdk.dmg

Cheers,
sancarlosastro

Comment 1 Alex Thurgood 2014-12-09 08:06:20 UTC

Altered title to reflect downloaded file mentioned in report

Comment 2 Robinson Tryon (qubit) 2014-12-09 19:49:35 UTC

(In reply to sancarlosastro from comment #0)
> the sha 256 sum shown on the "info" web page does not match the download,
> but the other checksums do match.  The pgp sig also is valid.
> 

REPRO STEPS:
> on this page:
> http://download.documentfoundation.org/libreoffice/stable/4.3.4/mac/x86/
> LibreOffice_4.3.4_MacOS_x86_sdk.dmg.mirrorlist
> 
> the sha256 sum is listed as:
> f4e9462cfad970ac121283d6a66ee999e14cd99cdbea4a295a3d9f80788cad21

Confirmed: That's what listed there

> The download was retrieved from "the preferred mirror" with url:
> http://download.documentfoundation.org/libreoffice/stable/4.3.4/mac/x86/
> LibreOffice_4.3.4_MacOS_x86_sdk.dmg

Downloaded file using FF 34.0 on Ubuntu 14.04.

> 
> My Mac reports that the checksum is:
> 9e466cdd41ab29e0845267f6e46ed7c6edb79b36b4bcb121edd0df55aee4e53c

The file as downloaded is 33688939 bytes (which matches the webpage).

sha256sum (GNU coreutils) 8.21 applied to the file gives:
f4e9462cfad970ac121283d6a66ee999e14cd99cdbea4a295a3d9f80788cad21

This matches the sha256sum above and on the stated webpage, so NOREPRO for me.

> ... the sha1 and md5 checksums computed by my mac match what is shown on the
> above url.  On addition, the pgp signature also appears to be correct.

SHA-1 and MD5 check out for me as well.

Cryptographically speaking, the chances of finding a file that shares the same SHA-1 and MD5 hashes with this download but *not* sharing the same sha256 hash are very low. Crazy low, even. I guess it's possible that there's a bug in one of the tools we're using to compute the sha256 hashes, but it would be excitingly weird for us to discover it when testing random LibreOffice binaries :-)

I'm going to change the Status -> RESOLVED WORKSFORME. Please check the size of the download and try downloading again. If you still think there's a problem on the LibreOffice side, please changes status back to UNCONFIRMED.

Thanks!