2017-10-23 16:40 GMT+03:00 Bill Munro <billmunro2...@hotmail.com>: > Hi, > > > I downloaded the file from all mirror sites (including backups), but I get a > different checksum than the one on the apache site. I am using fsum sha1. > Are the checksums on the site incorrect, or is fsum wrong?
Maybe you are comparing with checksum of a different file? E.g. windows-x86.zip vs windows-x64.zip vs .zip ? The correct sha1: 5992ca5bf02a6ae6d901eb22e7d3309061b26e42 *apache-tomcat-8.5.23-windows-x86.zip sha256: acca2ce6217da70beb8f6b0d58054f2133276bd7328ff51ca51ae0125c1cf586 *apache-tomcat-8.5.23-windows-x86.zip The value of sha256 can be used to search VirusTotal: https://www.virustotal.com/file/acca2ce6217da70beb8f6b0d58054f2133276bd7328ff51ca51ae0125c1cf586/analysis/ First submission 2017-10-02 08:36:18 UTC Officially, the recommended way to verify a file is to check its PGP signature. https://www.apache.org/info/verification.html Verifying the signature, using GPG (using the one included with Git for Windows): (omitting some unimportant messages) $ gpg --keyserver pgpkeys.mit.edu --recv-key 33C60243 gpg: requesting key 33C60243 from hkp server pgpkeys.mit.edu gpg: key 33C60243: public key "Mark E D Thomas <ma...@apache.org>" imported gpg: key 33C60243: public key "Mark E D Thomas <ma...@apache.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2 (RSA: 1) $ gpg --fingerprint 33C60243 pub 1024R/33C60243 2014-06-16 [revoked: 2016-08-16] Key fingerprint = B65C A985 6C76 39CD 9D17 7D0E 5385 81D4 33C6 0243 uid Mark E D Thomas <ma...@apache.org> pub 1024D/33C60243 2004-09-12 Key fingerprint = DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243 uid Mark E D Thomas <ma...@apache.org> uid Mark E D Thomas <med.tho...@virgin.net> uid Mark E D Thomas <mark.tho...@springsource.com> sub 2048g/0BECE548 2004-09-12 $ gpg --verify apache-tomcat-8.5.23-windows-x86.zip.asc apache-tomcat-8.5.23-windows-x86.zip gpg: Signature made 28 сен 2017 г. 13:31:21 RTZ using DSA key ID 33C60243 gpg: Good signature from "Mark E D Thomas <ma...@apache.org>" gpg: aka "Mark E D Thomas <med.tho...@virgin.net>" gpg: aka "Mark E D Thomas <mark.tho...@springsource.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243 The footprint is the same as of this key in https://www.apache.org/dist/tomcat/tomcat-8/KEYS For ages I used md5sum.exe and sha1sum.exe from GNU CoreUtils package for Windows, http://gnuwin32.sourceforge.net/ http://gnuwin32.sourceforge.net/packages/coreutils.htm Nowadays I use the unix tools bundles with Git for Windows. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
