Issue 36241: MD5 checksum is not valid for v2.7.16 "Windows x86-64 MSI installer"

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/80422

classification

Title:	MD5 checksum is not valid for v2.7.16 "Windows x86-64 MSI installer"
Type:		Stage:	resolved
Components:	Installation	Versions:	Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	SilentGhost, andrejs-sisojevs-accenture, benjamin.peterson, jkloth, steve.dower, xtreak
Priority:	normal	Keywords:

Created on 2019-03-08 16:14 by andrejs-sisojevs-accenture, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (13)
msg337502 - (view)	Author: (andrejs-sisojevs-accenture)	Date: 2019-03-08 16:14
On download page https://www.python.org/downloads/release/python-2716/ MD5 checksum for "Windows x86-64 MSI installer" is 2fe86194bb4027be75b29852027f1a79 But download file checksum is `2841e92ba89a6f036305a8a07fbe9d18`. Checksum calculated on 2 different machines (Windows and MacOS), both strongly protected by antiviruses.
msg337504 - (view)	Author: (andrejs-sisojevs-accenture)	Date: 2019-03-08 16:16
Checksum for earlier v2.7.15 is fine.
msg337510 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2019-03-08 16:42
The download page linked doesn't contain checksum 2fe86194bb4027be75b29852027f1a79. The checksum in the page is 2841e92ba89a6f036305a8a07fbe9d18 and I can confirm that the downloaded binary also has the correct checksum as below : karthi@ubuntu-s-1vcpu-1gb-blr1-01:~$ wget https://www.python.org/ftp/python/2.7.16/python-2.7.16.amd64.msi karthi@ubuntu-s-1vcpu-1gb-blr1-01:~$ md5sum python-2.7.16.amd64.msi 2841e92ba89a6f036305a8a07fbe9d18 python-2.7.16.amd64.msi From https://www.python.org/downloads/release/python-2716/ > Windows x86-64 MSI installer Windows for AMD64/EM64T/x64 2841e92ba89a6f036305a8a07fbe9d18 20348928 SIG
msg337512 - (view)	Author: Jeremy Kloth (jkloth) *	Date: 2019-03-08 16:49
When I visit the provided link, I also see what OP describes. Is it a caching/location issue? I'm in US-Colorado.
msg337514 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2019-03-08 17:20
Strange, when I visit the link again in new tab then it gives me the checksum as described by OP. But I still have the old tab open with which I wrote my comment that has 2841e92ba89a6f036305a8a07fbe9d18 (20348928 bytes) and wget at the time also had this checksum as in my comment. I am in India.
msg337525 - (view)	Author: Steve Dower (steve.dower) *	Date: 2019-03-08 19:22
We updated the build to be properly code signed, but the CDN may still be caching the old release. Nothing has changed except the signature on the installer (Python 2 binaries have never been signed). I'll run a CDN purge to try and clear it up.
msg337526 - (view)	Author: Steve Dower (steve.dower) *	Date: 2019-03-08 19:27
I redownloaded and confirmed that the files are correct. Benjamin - the MD5 for the 32-bit installer didn't get updated. It should be 912428345b7e0428544ec4edcdf70286 (as in my updated email I sent).
msg337577 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2019-03-09 19:18
I think everything is correct now?
msg337578 - (view)	Author: SilentGhost (SilentGhost) *	Date: 2019-03-09 19:34
I still see 2fe86194bb4027be75b29852027f1a79 as checksum
msg337580 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2019-03-09 19:48
That's correct.
msg337602 - (view)	Author: (andrejs-sisojevs-accenture)	Date: 2019-03-10 10:11
Please confirm, that old "2fe86194bb4027be75b29852027f1a79" was valid in past (as opposed to be security compromised). We need to make sure, since some of our devs downloaded and used that version with unconfirmed checksum.
msg337603 - (view)	Author: (andrejs-sisojevs-accenture)	Date: 2019-03-10 10:20
Oh, and also (please confirm) that 2841e92ba89a6f036305a8a07fbe9d18 was not security compromised.
msg337621 - (view)	Author: Steve Dower (steve.dower) *	Date: 2019-03-10 16:58
Confirmed. Neither was compromised, the only change was that the previous MSI did not have an embedded Authenticode signature. I didn't even rebuild the MSI, tbh. I went back to my (secure, controlled) build machine and signed it manually.

History
Date	User	Action	Args
2022-04-11 14:59:12	admin	set	github: 80422
2019-03-10 16:58:19	steve.dower	set	messages: + msg337621
2019-03-10 10:20:49	andrejs-sisojevs-accenture	set	messages: + msg337603
2019-03-10 10:11:46	andrejs-sisojevs-accenture	set	messages: + msg337602
2019-03-09 19:58:33	SilentGhost	set	status: open -> closed resolution: fixed stage: resolved
2019-03-09 19:48:55	benjamin.peterson	set	messages: + msg337580
2019-03-09 19:34:02	SilentGhost	set	nosy: + SilentGhost messages: + msg337578
2019-03-09 19:18:26	benjamin.peterson	set	messages: + msg337577
2019-03-08 19:27:58	steve.dower	set	messages: + msg337526
2019-03-08 19:22:45	steve.dower	set	messages: + msg337525
2019-03-08 17:20:51	xtreak	set	messages: + msg337514
2019-03-08 16:49:41	jkloth	set	nosy: + jkloth messages: + msg337512
2019-03-08 16:42:11	xtreak	set	nosy: + xtreak, steve.dower messages: + msg337510
2019-03-08 16:35:47	xtreak	set	nosy: + benjamin.peterson
2019-03-08 16:16:32	andrejs-sisojevs-accenture	set	messages: + msg337504
2019-03-08 16:14:06	andrejs-sisojevs-accenture	create