Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "Platform-releng/How to check integrity of downloads"

m (Verifying integrity of downloads from the Eclipse Platform Project)
m (Deprecated methods for Eclipse Platform Project and Equinox)
Line 12: Line 12:
  
 
=== Deprecated methods for Eclipse Platform Project and Equinox ===
 
=== Deprecated methods for Eclipse Platform Project and Equinox ===
'''For the Luna release (June, 2014) the Eclipse Platform project moved to provide SHA515 checksums for to check download integrity, since "md5" is known to be vulnerable, and sha1 is in theory vulnerable (see {{bug|420010#c1}} for references). Hence the following methods should be considered "deprecated" and will eventually disappear (follow {{bug|423714}} for details). For a transition period, the md5 and sha1 checksums are still available from same location that they used to be, namely '<buildURL>/checksums/*(.md5|.sha1)' so those with automated scripts won't break suddenly, but only the SHA515 is displayed as a link on download page, and is the preferred method, that everyone should move to. All that said, the following instructions may still apply to other downloads from other areas of the Eclipse Foundation, which have not yet moved to SHA-2.'''
+
'''For the Luna release (June, 2014) the Eclipse Platform project and Equinox moved to provide SHA515 checksums for to check download integrity, since "md5" is known to be vulnerable, and sha1 is in theory vulnerable (see {{bug|420010#c1}} for references). Hence the following methods should be considered "deprecated" and will eventually disappear (follow {{bug|423714}} for details). For a transition period, the md5 and sha1 checksums are still available from same location that they used to be, namely '<buildURL>/checksums/<filname>(.md5|.sha1)' so those with automated scripts won't break suddenly, but only the SHA515 is displayed as a link on download page, and is the preferred method and that everyone should move to use that, in automated scripts. All that said, the following instructions may still apply to other downloads from other areas of the Eclipse Foundation, which have not yet moved to SHA-2.'''
  
 
Downloads can be verified using md5sum or sha1sum, a Unix command line tool provided
 
Downloads can be verified using md5sum or sha1sum, a Unix command line tool provided

Revision as of 19:58, 19 May 2014

Verifying integrity of downloads from the Eclipse Platform Project and Equinox

Downloads can be verified using sha512sum, a Unix command line tool provided in the GNU Coreutils package. Windows versions are available such as from Cygwin or other packages that can be found by searching the internet.

  • Most downloads from Eclipse Project have an associated link, "[SHA512]", to a *.sha512 file containing the file's SHA 515 checksum. Download these files, such as from Eclipse download page and put them into the same directory as the downloaded archive (zip, jar, or tar.gz) file.
  • Using the sha512sum tool, execute a command such as "sha515sum -c <zipfilename>.sha512". The result "<zipfilename>: OK" means the downloaded file is complete and intact.
  • Besides "command line" tools, Ant and other such "utility" languages usually provide similar ways to verify the integrity of a download. For an example from Ant, see the checksum task.


Deprecated methods for Eclipse Platform Project and Equinox

For the Luna release (June, 2014) the Eclipse Platform project and Equinox moved to provide SHA515 checksums for to check download integrity, since "md5" is known to be vulnerable, and sha1 is in theory vulnerable (see bug 420010#c1 for references). Hence the following methods should be considered "deprecated" and will eventually disappear (follow bug 423714 for details). For a transition period, the md5 and sha1 checksums are still available from same location that they used to be, namely '<buildURL>/checksums/<filname>(.md5|.sha1)' so those with automated scripts won't break suddenly, but only the SHA515 is displayed as a link on download page, and is the preferred method and that everyone should move to use that, in automated scripts. All that said, the following instructions may still apply to other downloads from other areas of the Eclipse Foundation, which have not yet moved to SHA-2.

Downloads can be verified using md5sum or sha1sum, a Unix command line tool provided in the GNU Coreutils package. Windows binary versions are available such as from Cygwin or other packages that can be found by searching the internet.

  • Most downloads have an associated link "(md5)" to a *.md5 file containing its MD5 checksum and another link "(sha1)" to a *.sha1 file containing its SHA1 checksum. Download these files, such as from the main Eclipse Foundation's packages downloads page (the checksums are available on the page where you select a mirror, but the checksums come directly from "eclipse.org", not the mirror). Put those checksum files into the same directory as the downloaded archive (zip or tar.gz) file.
  • Using the tools described at beginning of this page, execute a command such as "md5sum -c <zipfilename>.md5" or "sha1sum -c <zipfilename>.sha1". The result "<zipfilename>: OK" means the downloaded file is complete and intact.

Back to the top