[cairo] pixman SHA1 checksum failure

Keith Packard keithp at keithp.com
Tue Dec 2 07:50:58 PST 2008 

On Tue, 2008-12-02 at 02:40 -0500, Ben Stern wrote:
> I have downloaded pixman 0.13.2 from http://www.cairographics.org/releases/
> and have run into a problem.
> 
> bstern at farad:/usr/local/src$ gpg --verify pixman-0.13.2.tar.gz.sha1.asc ; \
>     cat pixman-0.13.2.tar.gz.sha1; sha1sum pixman-0.13.2.tar.gz
> gpg: Signature made Wed 26 Nov 2008 01:00:04 AM EST using DSA key ID 096C4DD3
> gpg: Good signature from "Keith Packard <keithp at keithp.com>"
> gpg:                 aka "Keith Packard <keithp at debian.org>"
> gpg:                 aka "Keith Packard <keithp at freedesktop.org>"
> gpg:                 aka "Keith Packard <keith.packard at intel.com>"
> gpg:                 aka "[jpeg image of size 3550]"
> bstern at farad:/usr/local/src$ cat pixman-0.13.2.tar.gz.sha1
> c5ad136f77169661a97a3e52b1b7096ee2230d47  pixman-0.13.2.tar.gz
> bstern at farad:/usr/local/src$ sha1sum pixman-0.13.2.tar.gz
> 755a5f297ee4619a28983be1c2a81aac24c02b62  pixman-0.13.2.tar.gz
> 
> The sums aren't matching.  I tried re-downloading, but am still getting the
> same wrong checksum.

Something is wrong with the pixman release process, that's for sure. I
just re-checksumed the pixman-0.13.2.tar.gz here on my disk and also
looked at the pixman-0.13.2.tar.gz.sha1:

$ cat pixman-0.13.2.tar.gz.sha1; sha1sum pixman-0.13.2.tar.gz
755a5f297ee4619a28983be1c2a81aac24c02b62  pixman-0.13.2.tar.gz
755a5f297ee4619a28983be1c2a81aac24c02b62  pixman-0.13.2.tar.gz

I also found my original release note:

Hashes:
        MD5:  837df4a02c61a60a880644393b57faed  pixman-0.13.2.tar.gz
        MD5:  4b03b556bb0da245eedf74437c3a6158  pixman-0.13.2.tar.bz2
        SHA1: 755a5f297ee4619a28983be1c2a81aac24c02b62  pixman-0.13.2.tar.gz
        SHA1: 395667fec46e8ecea87e1293982707c928d4fe08  pixman-0.13.2.tar.bz2

You should have a copy of this as well, also signed with my gpg key.

> I have confirmed the output with "openssl sha1" and the checksums still
> don't match.  Is something wrong with the download, or is there something
> amiss on the cairographics server?

I suspect the pixman release script is broken in some way, perhaps Søren
can figure it out?

Thanks for checking these files; once we sort out what's up with the
release process, I'll replace the checksum files on the server.

-- 
keith.packard at intel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.cairographics.org/archives/cairo/attachments/20081202/45ccafcf/attachment.pgp

More information about the cairo mailing list