The file at http://www.openssl.org/./source/openssl-0.9.8f.tar.gz.sha1 contains the checksum
0a0a3fd9be3d46053df2e91b6eb8a3b4348c793c whereas the file at http://www.openssl.org/source/openssl-0.9.8f.tar.gz (even after repeated download) has SHA1 checksum e8716370093b112763ace0c66c06a0d6049e413b The published OpenPGP signature http://www.openssl.org/source/openssl-0.9.8f.tar.gz.asc was made with key 0x2719AF35 and matches for the tarball. But previous releases were signed with key 0xF295C759. This looks kind of suspicious to me. However, why would an attacker replace the OpenPGP signature and not the SHA1 checksum? Hopefully, there is a simple explanation for this.
pgplCBydKOXLd.pgp
Description: PGP signature
