classification
Title: MD5 checksum is not valid for v2.7.16 "Windows x86-64 MSI installer"
Type: Stage: resolved
Components: Installation Versions: Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: SilentGhost, andrejs-sisojevs-accenture, benjamin.peterson, jkloth, steve.dower, xtreak
Priority: normal Keywords:

Created on 2019-03-08 16:14 by andrejs-sisojevs-accenture, last changed 2019-03-10 16:58 by steve.dower. This issue is now closed.

Messages (13)
msg337502 - (view) Author: (andrejs-sisojevs-accenture) Date: 2019-03-08 16:14
On download page 
https://www.python.org/downloads/release/python-2716/
MD5 checksum for "Windows x86-64 MSI installer" is 2fe86194bb4027be75b29852027f1a79

But download file checksum is `2841e92ba89a6f036305a8a07fbe9d18`.
Checksum calculated on 2 different machines (Windows and MacOS), both strongly protected by antiviruses.
msg337504 - (view) Author: (andrejs-sisojevs-accenture) Date: 2019-03-08 16:16
Checksum for earlier v2.7.15 is fine.
msg337510 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python triager) Date: 2019-03-08 16:42
The download page linked doesn't contain checksum 2fe86194bb4027be75b29852027f1a79. The checksum in the page is 2841e92ba89a6f036305a8a07fbe9d18 and I can confirm that the downloaded binary also has the correct checksum as below : 

karthi@ubuntu-s-1vcpu-1gb-blr1-01:~$ wget https://www.python.org/ftp/python/2.7.16/python-2.7.16.amd64.msi
karthi@ubuntu-s-1vcpu-1gb-blr1-01:~$ md5sum python-2.7.16.amd64.msi
2841e92ba89a6f036305a8a07fbe9d18  python-2.7.16.amd64.msi

From https://www.python.org/downloads/release/python-2716/

> Windows x86-64 MSI installer Windows for AMD64/EM64T/x64 2841e92ba89a6f036305a8a07fbe9d18 	20348928 SIG
msg337512 - (view) Author: Jeremy Kloth (jkloth) * Date: 2019-03-08 16:49
When I visit the provided link, I also see what OP describes.

Is it a caching/location issue?  I'm in US-Colorado.
msg337514 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python triager) Date: 2019-03-08 17:20
Strange, when I visit the link again in new tab then it gives me the checksum as described by OP. But I still have the old tab open with which I wrote my comment that has 2841e92ba89a6f036305a8a07fbe9d18 (20348928 bytes) and wget at the time also had this checksum as in my comment. I am in India.
msg337525 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-03-08 19:22
We updated the build to be properly code signed, but the CDN may still be caching the old release.

Nothing has changed except the signature on the installer (Python 2 binaries have never been signed). I'll run a CDN purge to try and clear it up.
msg337526 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-03-08 19:27
I redownloaded and confirmed that the files are correct.

Benjamin - the MD5 for the 32-bit installer didn't get updated. It should be 912428345b7e0428544ec4edcdf70286 (as in my updated email I sent).
msg337577 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-03-09 19:18
I think everything is correct now?
msg337578 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-03-09 19:34
I still see 2fe86194bb4027be75b29852027f1a79 as checksum
msg337580 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-03-09 19:48
That's correct.
msg337602 - (view) Author: (andrejs-sisojevs-accenture) Date: 2019-03-10 10:11
Please confirm, that old "2fe86194bb4027be75b29852027f1a79" was valid in past (as opposed to be security compromised). We need to make sure, since some of our devs downloaded and used that version with unconfirmed checksum.
msg337603 - (view) Author: (andrejs-sisojevs-accenture) Date: 2019-03-10 10:20
Oh, and also (please confirm) that 2841e92ba89a6f036305a8a07fbe9d18 was not security compromised.
msg337621 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-03-10 16:58
Confirmed. Neither was compromised, the only change was that the previous MSI did not have an embedded Authenticode signature.

I didn't even rebuild the MSI, tbh. I went back to my (secure, controlled) build machine and signed it manually.
History
Date User Action Args
2019-03-10 16:58:19steve.dowersetmessages: + msg337621
2019-03-10 10:20:49andrejs-sisojevs-accenturesetmessages: + msg337603
2019-03-10 10:11:46andrejs-sisojevs-accenturesetmessages: + msg337602
2019-03-09 19:58:33SilentGhostsetstatus: open -> closed
resolution: fixed
stage: resolved
2019-03-09 19:48:55benjamin.petersonsetmessages: + msg337580
2019-03-09 19:34:02SilentGhostsetnosy: + SilentGhost
messages: + msg337578
2019-03-09 19:18:26benjamin.petersonsetmessages: + msg337577
2019-03-08 19:27:58steve.dowersetmessages: + msg337526
2019-03-08 19:22:45steve.dowersetmessages: + msg337525
2019-03-08 17:20:51xtreaksetmessages: + msg337514
2019-03-08 16:49:41jklothsetnosy: + jkloth
messages: + msg337512
2019-03-08 16:42:11xtreaksetnosy: + xtreak, steve.dower
messages: + msg337510
2019-03-08 16:35:47xtreaksetnosy: + benjamin.peterson
2019-03-08 16:16:32andrejs-sisojevs-accenturesetmessages: + msg337504
2019-03-08 16:14:06andrejs-sisojevs-accenturecreate