wrong checksums on main page, good on non ssl mirror

piotrek9776 · November 10, 2017, 2:07am

i just downloaded the image
openSUSE-Tumbleweed-GNOME-Live-x86_64-Snapshot20171107-Media.iso

from 2 different locations:

1 main page: http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-GNOME-Live-x86_64-Current.iso
2 mirror: http://ftp.icm.edu.pl/pub/Linux/opensuse/tumbleweed/iso/openSUSE-Tumbleweed-GNOME-Live-x86_64-Snapshot20171107-Media.iso

i also downloaded sha256 from main page: http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-GNOME-Live-x86_64-Current.iso.sha256
gpg signatures are ok, but checksums are wrong

wrong sums stated in files: 8c5a546c387ab61bdedb9ea7e03604f1bd00a8cb5c729e9894beb1b8919f9878
but in fact they are e9468e6691c0da799c5c4b841f400321eee50a2d669ebddb97c8280ff1b5c015 as stated on non ssl mirror page: http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-GNOME-Live-x86_64-Snapshot20171107-Media.iso?mirrorlist

but the mirror page provides just sha256 with any signature

tannington · November 10, 2017, 3:36pm

Depending upon when the mirrors updated… they might not have been the same snapshot. From the main download page “current” might have been Snapshot20171108

tsu2 · November 10, 2017, 4:55pm

As I posted in another recent Forum thread,
Those are two different images, so no wonder the checksum won’t match(You’ll need to download a different checksum for the “Snapshot” image).

“Current” is the main officially released image.
“Snapshot” is an intermediate image released between official images.

For the checksum you’re comparing, you have to compare two “Current” images, possibly downloaded as close to the same time as possible.

TSU