CMake source archive sha256sum changed

Samuel_Littley · April 25, 2025, 12:51pm

We download cmake from https://gitlab.kitware.com/cmake/cmake/-/archive/v3.25.2/cmake-v3.25.2.zip, and recently the sha256sum of the downloaded zip archive has changed (from d7d58a81effb962c42fe12d8c757092f6753484c33fb7e302065b4923ed01023 to 1da37e19013baa3c00f0a1c7c06a2d4ebe49be8dfca9de14396a052cdd406d8b).

The git tag seems to be pointing to a 2 year old commit, so I doubt that has been moved, so is there some other reason why the checksum would change? Did the Gitlab instance get updated recently? Unfortunately we don’t have a copy of the old archive to actually look for differences.

Samuel_Littley · April 25, 2025, 1:06pm

Okay, actually managed to find a copy of the old zip archive that was hanging around in an old workspace. It looks like the contents are identical (both from comparing the unpacked source tree and comparing the CRC-32 checksums in the archive), but that files were compressed differently.

brad.king · April 25, 2025, 3:16pm

That URL is provided by GitLab and the archive it provides is computed on-demand. It’s not meant to be a stable archive.

The official release tarballs and binaries are available here. They have gpg-signed sha256 sums too.

Samuel_Littley · April 25, 2025, 3:34pm

Ahhh, awesome, thank you!