CMake source archive sha256sum changed

We download cmake from https://gitlab.kitware.com/cmake/cmake/-/archive/v3.25.2/cmake-v3.25.2.zip, and recently the sha256sum of the downloaded zip archive has changed (from d7d58a81effb962c42fe12d8c757092f6753484c33fb7e302065b4923ed01023 to 1da37e19013baa3c00f0a1c7c06a2d4ebe49be8dfca9de14396a052cdd406d8b).

The git tag seems to be pointing to a 2 year old commit, so I doubt that has been moved, so is there some other reason why the checksum would change? Did the Gitlab instance get updated recently? Unfortunately we don’t have a copy of the old archive to actually look for differences.

Okay, actually managed to find a copy of the old zip archive that was hanging around in an old workspace. It looks like the contents are identical (both from comparing the unpacked source tree and comparing the CRC-32 checksums in the archive), but that files were compressed differently.

That URL is provided by GitLab and the archive it provides is computed on-demand. It’s not meant to be a stable archive.

The official release tarballs and binaries are available here. They have gpg-signed sha256 sums too.

1 Like

Ahhh, awesome, thank you!