Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Platform-releng/How to check integrity of downloads

< Platform-releng
Revision as of 10:27, 19 May 2014 by David williams.acm.org (Talk | contribs) (Initial start of re-write.)

Verifying integrity of downloads

Downloads can be verified using sha512sum, a Unix command line tool provided in the GNU Coreutils package. Windows versions are available such as from cygwin [ref] or other packages. [Mac ref?]

  • Most downloads have an associated link "[SHA512]" to a *.SHA512 file containing its SHA 515 checksum. Download these files, such as from Eclipse download page, or the main Eclipse Foundation's packages downloads page (the checksums are available on the page where you select a mirror, but the checksums come directly from "eclipse.org", not the mirror). Put those checksum files into the same directory as the downloaded archive (zip, jar, or tar.gz) file.
  • Using the sha512sum tool, execute a command such as "sha515sum -c <zipfilename>.sha512". The result "<zipfilename>: OK" means the downloaded file is complete and intact.
  • Besides "command line" tools, Ant and other such "utility" languages usually provide similar ways to verify the integrity of a download. [ref].


Deprecated

For the Luna release (June, 2014) the Eclipse Platform project moved to provide SHA515 checksums for to check download integrity, since "md5" is known to be vulnerable, and sha1 is in theory vulnerable (see bug 420010#c1 for references). Hence the following methods should be considered "deprecated" and will eventually disappear (follow bug 423714 for details). For a transition period, the md5 and sha1 checksums are still available from same location that they used to be, namely '<buildURL>/checksums/' so those with automated scripts won't break suddenly, but only the SHA515 is displayed as a link on download page, and is the preferred method, that everyone should move to.

Downloads can be verified using md5sum or sha1sum, a Unix command line tool provided in the GNU Textutils package. Windows binary versions are available such as at etree.org.

  • Most downloads have an associated link "(md5)" to a *.md5file containing its MD5 checksum and another link "(sha1)" to a *.sha1 file containing its SHA1 checksum. Download these files, such as from Eclipse download page, or the main Eclipse Foundation's packages downloads page (the checksums are available on the page where you select a mirror, but the checksums come directly from "eclipse.org", not the mirror). Put those checksum files into the same directory as the downloaded archive (zip or tar.gz) file.
  • Using the tools described at beginning of this page, execute a command such as "md5sum -c <zipfilename>.md5" or "sha1sum -c <zipfilename>.sha1". The result "<zipfilename>: OK" means the downloaded file is complete and intact.
Retrieved from "https://wiki.eclipse.org/index.php?title=Platform-releng/How_to_check_integrity_of_downloads&oldid=362948"

Back to the top