Platform-releng/How to check integrity of downloads

From Eclipsepedia

Jump to: navigation, search

Verifying integrity of downloads from the Eclipse Platform Project and Equinox

Downloads can be verified using sha512sum or shasum, a Unix command line tool provided in the GNU Coreutils package. Windows versions are available such as from Cygwin or other packages that can be found by searching the internet.

  • Most downloads from Eclipse or Equinox Project have an associated link, labeled such as "[SHA512]", to a *.sha512 file containing the file's SHA-2 512 checksum. It is a long checksum, 128 hexadecimal characters ... too long for "visual confirmation" but there are some easy ways to programmatically confirm your download matches the checksum. Download both the desired zip, jar, or tar.gz file and the corresponding .sha512 files to the same directory. Then use a tool such as those below to confirm the checksum computed on your machine, matches the value in the .sha512 file.
  • Using the shasum tool, execute a command such as
    shasum -c <zipfilename>.sha512
    The result "<zipfilename>: OK" means the downloaded file is complete and intact. There's several options available that allow more or less checking and automation, so read the 'help' for the tool for details.
  • Besides "command line" tools, Ant and other such "utility" languages usually provide similar ways to verify the integrity of a download. For an example from Ant, see the checksum task, or perhaps a better example is their "get-and-checksum" macro example (which, of course, would need modification to use for this case).
  • Be sure that even if you get the large artifact from a nearby mirror (which is recommended), that you still get the checksum file directly from "download.eclipse.org" -- since, that is, after all, the whole point ... just to verify the file you get is the same as the one that is on "download.eclipse.org".
  • Some technical details, if anyone ever needs to know: currently, as of May, 2014, we produce our SHA512 checksums with 'sha512sum' program on SUSE Linux Enterprise Server 11 (x86_64), which reports its --version is 8.12 (from GNU coreutils) and its --help says "The sums are computed as described in FIPS-180-2".


Deprecated methods for Eclipse Platform Project and Equinox

For the Luna release (June, 2014) the Eclipse Platform project and Equinox moved to provide SHA512 checksums for to check download integrity, since "md5" is known to be vulnerable, and sha1 is in theory vulnerable (see bug 420010#c1 for references). Hence the following methods should be considered "deprecated" and will eventually disappear (follow bug 423714 for details). For a transition period, the md5 and sha1 checksums are still available from same location that they used to be, namely '<buildURL>/checksums/<filname>(.md5|.sha1)' so those with automated scripts won't break suddenly, but only the SHA512 is displayed as a link on download page, and is the preferred method and that everyone should move to use that, in automated scripts. All that said, the following instructions may still apply to other downloads from other areas of the Eclipse Foundation, which have not yet moved to SHA-2 or to older builds from Eclipse or Equinox (there is currently no plan to retroactively change checksum files).

Downloads can be verified using md5sum or sha1sum, a Unix command line tool provided in the GNU Coreutils package. Windows binary versions are available such as from Cygwin or other packages that can be found by searching the internet.

  • Most downloads have an associated link "(md5)" to a *.md5 file containing its MD5 checksum and another link "(sha1)" to a *.sha1 file containing its SHA1 checksum. Download these files, such as from the main Eclipse Foundation's packages downloads page (the checksums are available on the page where you select a mirror, but the checksums come directly from "eclipse.org", not the mirror). Put those checksum files into the same directory as the downloaded archive (zip or tar.gz) file.
  • Using the tools described at beginning of this page, execute a command such as "md5sum -c <zipfilename>.md5" or "sha1sum -c <zipfilename>.sha1". The result "<zipfilename>: OK" means the downloaded file is complete and intact.