[Libreoffice-bugs] [Bug 108593] New: Hash values on info page don' t match when downloading from https://www.libreoffice.org/download/ download/
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Sat Jun 17 17:34:01 UTC 2017
https://bugs.documentfoundation.org/show_bug.cgi?id=108593
Bug ID: 108593
Summary: Hash values on info page don't match when downloading
from https://www.libreoffice.org/download/download/
Product: LibreOffice
Version: 5.3.0.3 release
Hardware: x86-64 (AMD64)
OS: Windows (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: libreoffice-bugs at lists.freedesktop.org
Reporter: old.skool at flymediaproductions.com
Description:
This is my first time doing this, please bare with me.
I downloaded LibreOffice from https://www.libreoffice.org/download/download/
for Microsoft Windows 10 version (LibreOffice_5.3.3_Win_x86.msi).
The hash values for SHA256 and SHA1 that are listed on the info page did NOT
match when I computed the checksums for the .msi file. The hash values I used
where located here
http://download.documentfoundation.org/libreoffice/stable/5.3.3/win/x86/LibreOffice_5.3.3_Win_x86.msi.mirrorlist
To compute the checksums and compare the hash values I used a tool I created
for that purpose using Windows PowerShell. I've made it freely available on
GitHub as open source software here:
https://github.com/FlyDuoATL/powershell-compare-hash
Steps to Reproduce:
1. Download the .msi from LibreOffice
2. Run the utility I linked to on GitHub to create the checksum for the msi
3. The utility will then compare the generated checksum with the hash values
listed on the .msi download "info" page.
4. Repeat steps 2 and 3 for each different hash type, ie: SHA256, SHA-1, MD5.
5. The tool will output whether the generated checksum value and the hash
values provided by LibreOffice are a match.
I ran this several times to be sure and they did NOT all match.
Actual Results:
Some of the hash types did not match with the generated checksum value for the
.msi I downloaded.
Expected Results:
The hash values and the generated checksums should have all matched exactly for
each type: SHA-256, SHA-1, MD5.
Reproducible: Always
User Profile Reset: No
Additional Info:
I did not install the software because the hash values and the generated
checksums did not match. This problem is purely about the downloaded file's
various hash values and the generated checksums from that file not matching
correctly as they should.
I would assume this may be a critical problem because I was under the
impression it may mean that somehow the software got corrupted or the software
being downloaded is not the correct legit software from the LibreOffice team.
I know this type of thing happened with the HandBrake project (video encoding
software) and it was a security issue, someone had been changing the downloaded
software to a version that had malware, but for the MacOS version of the
software only. This page
(https://forum.handbrake.fr/viewtopic.php?f=33&t=36399&p=171143&hilit=hash#p171143)
has the information for that particular situation for comparison, I hope it's
helpful.
Regarding LibreOffice, of course I have no idea at all what the cause of this
is. This is NOT my area of expertise by any means. I do hope that this is
helpful for your development team.
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101
Firefox/54.0
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20170617/57646ea7/attachment-0001.html>
More information about the Libreoffice-bugs
mailing list