| msg337502 - (view) |
Author: (andrejs-sisojevs-accenture) |
Date: 2019-03-08 16:14 |
| On download page https://www.python.org/downloads/release/python-2716/ MD5 checksum for "Windows x86-64 MSI installer" is 2fe86194bb4027be75b29852027f1a79 But download file checksum is `2841e92ba89a6f036305a8a07fbe9d18`. Checksum calculated on 2 different machines (Windows and MacOS), both strongly protected by antiviruses. |
|
|
| msg337504 - (view) |
Author: (andrejs-sisojevs-accenture) |
Date: 2019-03-08 16:16 |
| Checksum for earlier v2.7.15 is fine. |
|
|
| msg337510 - (view) |
Author: Karthikeyan Singaravelan (xtreak) *  |
Date: 2019-03-08 16:42 |
| The download page linked doesn't contain checksum 2fe86194bb4027be75b29852027f1a79. The checksum in the page is 2841e92ba89a6f036305a8a07fbe9d18 and I can confirm that the downloaded binary also has the correct checksum as below : karthi@ubuntu-s-1vcpu-1gb-blr1-01:~$ wget https://www.python.org/ftp/python/2.7.16/python-2.7.16.amd64.msi karthi@ubuntu-s-1vcpu-1gb-blr1-01:~$ md5sum python-2.7.16.amd64.msi 2841e92ba89a6f036305a8a07fbe9d18 python-2.7.16.amd64.msi From https://www.python.org/downloads/release/python-2716/ > Windows x86-64 MSI installer Windows for AMD64/EM64T/x64 2841e92ba89a6f036305a8a07fbe9d18 20348928 SIG |
|
|
| msg337512 - (view) |
Author: Jeremy Kloth (jkloth) * |
Date: 2019-03-08 16:49 |
| When I visit the provided link, I also see what OP describes. Is it a caching/location issue? I'm in US-Colorado. |
|
|
| msg337514 - (view) |
Author: Karthikeyan Singaravelan (xtreak) * |
Date: 2019-03-08 17:20 |
| Strange, when I visit the link again in new tab then it gives me the checksum as described by OP. But I still have the old tab open with which I wrote my comment that has 2841e92ba89a6f036305a8a07fbe9d18 (20348928 bytes) and wget at the time also had this checksum as in my comment. I am in India. |
|
|
| msg337525 - (view) |
Author: Steve Dower (steve.dower) * |
Date: 2019-03-08 19:22 |
| We updated the build to be properly code signed, but the CDN may still be caching the old release. Nothing has changed except the signature on the installer (Python 2 binaries have never been signed). I'll run a CDN purge to try and clear it up. |
|
|
| msg337526 - (view) |
Author: Steve Dower (steve.dower) * |
Date: 2019-03-08 19:27 |
| I redownloaded and confirmed that the files are correct. Benjamin - the MD5 for the 32-bit installer didn't get updated. It should be 912428345b7e0428544ec4edcdf70286 (as in my updated email I sent). |
|
|
| msg337577 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2019-03-09 19:18 |
| I think everything is correct now? |
|
|
| msg337578 - (view) |
Author: SilentGhost (SilentGhost) *  |
Date: 2019-03-09 19:34 |
| I still see 2fe86194bb4027be75b29852027f1a79 as checksum |
|
|
| msg337580 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2019-03-09 19:48 |
| That's correct. |
|
|
| msg337602 - (view) |
Author: (andrejs-sisojevs-accenture) |
Date: 2019-03-10 10:11 |
| Please confirm, that old "2fe86194bb4027be75b29852027f1a79" was valid in past (as opposed to be security compromised). We need to make sure, since some of our devs downloaded and used that version with unconfirmed checksum. |
|
|
| msg337603 - (view) |
Author: (andrejs-sisojevs-accenture) |
Date: 2019-03-10 10:20 |
| Oh, and also (please confirm) that 2841e92ba89a6f036305a8a07fbe9d18 was not security compromised. |
|
|
| msg337621 - (view) |
Author: Steve Dower (steve.dower) * |
Date: 2019-03-10 16:58 |
| Confirmed. Neither was compromised, the only change was that the previous MSI did not have an embedded Authenticode signature. I didn't even rebuild the MSI, tbh. I went back to my (secure, controlled) build machine and signed it manually. |
|
|