Suspicious downloads - checksums wrong

bensummers · October 14, 2017, 6:29pm

I’ve just downloaded Aspose.Total_for_Java.zip from:

https://downloads.aspose.com/total/java/new-releases/aspose.total-for-java/

The file I get has different checksums to those listed on the downloads page:

SHA1(Aspose.Total_for_Java.zip)= 737222b744600888a74ca85200b821d3f614c661
MD5(Aspose.Total_for_Java.zip)= 05814de0b80023bf04d51b278fe4a0c0

I am concerned the download is compromised. Could you confirm the correct checksums (from the originals, not by trying the same download yourself.)

Thank you,

Ben

imran.rafique · October 15, 2017, 8:44pm

@bensummers,
We are in-progress to verify the checksums and will let you know once an update is available.

imran.rafique · October 16, 2017, 6:34am

@bensummers,

How you are extracting checksums? I have tried with the WinMD5Free tool and it returns the same MD5 checksum as listed on the download page.

ben.summers · November 24, 2021, 12:36pm

I’m using openssl on Mac OS, like:

$ openssl sha1 Aspose.Total_for_Java.zip
SHA1(Aspose.Total_for_Java.zip)= 737222b744600888a74ca85200b821d3f614c661

$ openssl md5 Aspose.Total_for_Java.zip
MD5(Aspose.Total_for_Java.zip)= 05814de0b80023bf04d51b278fe4a0c0

On the download page, the checksums are given as b943875dbe295893a344a19534837db468953b4e and 101bc265876942737f468b4c8de2714b respectively.

The URL I downloaded is https://s3-us-west-2.amazonaws.com/aspose.files/Aspose.Total-Product-Family/Aspose.Total-for-Java/2938dc06618c4d2e914a846015d54a69/New-Releases/Aspose.Total_for_Java.zip?AWSAccessKeyId=AKIAJ3IWQHR2VPPUU4AA&Expires=1508146672&Signature=Yl2W8TJgWJkdGD7USW5BkS2%2FDUQ%3D, https://downloads.aspose.com/total/java/new-releases/aspose.total-for-java/

Thanks.

imran.rafique · October 17, 2017, 1:26pm

@bensummers,

We are in communication with the concerned team and will get back to you once an update is available.

imran.rafique · October 19, 2017, 4:04pm

@ben.summers,

The checksum issue has been fixed and you can now find the same SHA1 and MD5 checksums on the download page.

bensummers · October 19, 2017, 4:17pm

Thanks!

Could you confirm these checksums were computed from the original files?

(NOT computed from the files on the public download link, which would not detect corruption or compromise.)

imran.rafique · October 19, 2017, 10:47pm

@bensummers,

On the download page, you can see that the listed checksums are same as (737222b744600888a74ca85200b821d3f614c661 and 05814de0b80023bf04d51b278fe4a0c0) you detected with openssl. However, we have sent an inquiry for the confirmation purposes and will let you know once an update is available.

imran.rafique · October 22, 2017, 6:52pm

@bensummers,

Please note, the listed SHA1 and MD5 values on the download page are new and these values are computed from the original file.

ben.summers · October 25, 2017, 3:14pm

Thank you, much appreciated.