M Sesterhenn created KAFKA-14052:
------------------------------------
Summary: Download verification directions are incorrect for linux
Key: KAFKA-14052
URL: https://issues.apache.org/jira/browse/KAFKA-14052
Project: Kafka
Issue Type: Bug
Components: documentation
Environment: website
Reporter: M Sesterhenn
[https://www.apache.org/info/verification.html]
The above is linked to from the kafka download page
([https://kafka.apache.org/downloads]), and it contains incorrect instructions
for verifying the release.
The .sha512 files for the downloads are all in this format:
{code:java}
kafka_2.13-3.2.0.tgz: 736A1298 23B058DC 10788D08 93BDE47B 6F39B9E4 972F9EAC
2D5C9E85 E51E4773 44C6F1E1 EBD126CE 34D5FD43 0EB07E55 FDD60D60 CB541F1D
48655C0E BC0A4778
{code}
These files cannot be used to easily verify the expected hash using the
procedure described in the verification website. The website says to use:
{code:java}
sha512sum file {code}
...which doesn't do any hash comparison; it only tells you what the file's hash
is, and it is up to the user to manually compare its output with the
differently formatted output in the .sha512 file, which is error-prone and a
chore.
Expected result:
I would expect to be able to do
{code:java}
sha512sum -c file{code}
...like any normal download.
If the format of the .sha512 files cannot be changed to be compatible with the
linux shasum program, then please update the website to describe the proper way
to compare hashes. The best way seems to be a script like this:
{code:java}
SHA=$(mktemp); gpg --print-md SHA512 $FILE > $SHA && diff $SHA $FILE.sha512 &&
echo "SHA checks out OK."
{code}
(where FILE is the downloaded tarball.)
I looked into providing a PR for the verification page, but that is an
Apache-wide web page and probably is not publicly available.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
