Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 359623

Summary: SHA1 sums published on web site are actually MD5 sums
Product: [Eclipse Project] Platform Reporter: Sean Champ <gimmal>
Component: RelengAssignee: Kim Moir <kim.moir>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: denis.roy, kim.moir
Version: 3.7.1   
Target Milestone: 3.8 M3   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
patch to streamline sha1 and md5 generationin the build
none
patch for 3.7.x stream builds none

Description Sean Champ CLA 2011-09-30 17:00:59 EDT 
Build Identifier: R-3.7.1-201109091335

Comparing the contents at the following URLs, for example:
http://download.eclipse.org/eclipse/downloads/drops/R-3.7.1-201109091335/checksum/swt-3.7.1-cocoa-macosx-x86_64.zip.sha1
http://download.eclipse.org/eclipse/downloads/drops/R-3.7.1-201109091335/checksum/swt-3.7.1-cocoa-macosx-x86_64.zip.md5

...what I'm seeing is that the checksums are the same, in both of those files. What I expected is that they would not be the same - my being of the impression that the MD5 algorithm should produce a different checksum than the SHA1 algorithm, for a given file.

Running md5sum on the file, swt-3.7.1-cocoa-macosx-x86_64.zip, then, I see that both of those checksums are, aparently,  MD5 checksums. 

So, it appears there is a bug in whichever release-process component is producing  the assumed SHA1 checksum files - the bug being in that it's producing MD5 checksums, not SHA1 checksums, though the checksum files are given the type "sha1"

As a workaround, one can at least revert to using MD5 checkums, so in order to check the integrity of the downloaded SWT platform-specific libraries, for instance. Though the integrity of the MD5 check may not be as great as that of the SHA1 check would be, if the *.sha1 checkums there were actual SHA1 checksums, but it may be sufficient as a workaround. 

Reproducible: Always

Steps to Reproduce:
(See details)
Comment 1 Denis Roy CLA 2011-09-30 19:37:56 EDT 
When you pick a mirror for the download[1], the sums displayed there are correct.

Regarless, moving to Platform for rectification.


[1] http://www.eclipse.org/downloads/download.php?file=/eclipse/downloads/drops/R-3.7.1-201109091335/swt-3.7.1-cocoa-macosx-x86_64.zip
Comment 2 Kim Moir CLA 2011-10-03 12:09:29 EDT 
Created attachment 204458 [details]
patch to streamline sha1 and md5 generationin the build
Comment 3 Kim Moir CLA 2011-10-03 16:14:28 EDT 
Created attachment 204472 [details]
patch for 3.7.x stream builds
Comment 4 Kim Moir CLA 2011-10-03 16:40:12 EDT 
Fixed in 3.7.x and HEAD streams.  Also, I ran the script against 3.7.1 and 3.7 so corrected checksums should be replicating to the servers shortly.

Thanks for bringing this to our attention :-)