Bad md5 checksum of xml-security-c-1.7.3

Satheesh Kumar satheeshvsbk at gmail.com
Thu Jan 25 11:16:25 EST 2018 

Thanks​ for the suggestions, I will check it once again and let you know.

On 25-Jan-2018 8:00 PM, "Peter Schober" <peter.schober at univie.ac.at> wrote:

> * Satheesh Kumar <satheeshvsbk at gmail.com> [2018-01-25 14:57]:
> > We are upgrading Shib SP 2.6.0 to 2.6.1, while doing so I downloaded the
> > "xml-security-c-1.7.3" from the apache site -
> > http://santuario.apache.org/download.html and did md5sum to verify its
> > integrity. But it seems the md5 checksum and the signature provided in
> the
> > apache site is different, below is the md5 checksum values
> >
> > MD5 (xml-security-c-1.7.3.tar.gz) = *481a0f29d1b6e898da79f80dbbf7b05b*
> > apache MD5 link
> > <https://www.apache.org/dist/santuario/c-library/xml-
> security-c-1.7.3.tar.gz.md5>
> >
> > md5sum xml-security-c-1.7.3.tar.gz *1fe1ff8cb30e614e717c3a0a52f179bc*
> >
> > Kindly let me know where I can download the above tar file which is
> tamper
> > free or can I go ahead and use this tar file, I think its source code is
> > changed.
>
> I doubt the Shibboleth list is the right forum for this (even though
> Scott may act as maintainer for that Apache project, too) but
> anyway -- this works fine for me:
>
> $ curl -sSOL "http://www.apache.org/dist/santuario/c-library/xml-
> security-c-1.7.3.tar.gz{,.md5}"
>
> $ md5sum -c xml-security-c-1.7.3.tar.gz.md5
> xml-security-c-1.7.3.tar.gz: OK
>
> $ cat xml-security-c-1.7.3.tar.gz.md5
> MD5 (xml-security-c-1.7.3.tar.gz) = 481a0f29d1b6e898da79f80dbbf7b05b
>
> But of course:
>
> * MD5 shouldn't be used anymore at all
>
> * Those checkums are meant to easily identify broken downloads, they
>   do not authenticate the software: Whoever may have broken into the
>   Apache or their mirror servers to replace the software will
>   also be able to replace those checkums.
>
> * If you want to authenticate the software use PGP, as is written in
>   several places on that Apache site, including in section:
>   "VERIFY THE INTEGRITY OF THE FILES" at
>   e.g. http://www.apache.org/dyn/closer.lua/santuario/c-
> library/xml-security-c-1.7.3.tar.gz
>
> -peter
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180125/15a6a5c5/attachment.html>

More information about the users mailing list