incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Wrong checksum and unknown publisher
Date Thu, 14 Jun 2012 14:24:26 GMT
On Thu, Jun 14, 2012 at 8:42 AM, J B <> wrote:
> Dear technicians,


> I suspect you have some kind of trojan problem.
> *First clue*
> I deinstalled your software and I was directed to your survey webpage. But
> the page was unavailable.

It was not necessary to uninstall the previous version of OOo before
installing Apache OpenOffice 3.4, but if you did that would be the
expected behavior.  When the project moved to Apache we turned off the
survey collection that Sun had until we could figure out whether we
wanted it and if we did how to handle the data protection and data
privacy aspects of this.  So the error was expected

> *Second clue*
> When reinstalling, Windows said that the publisher was unknown. Normally it
> says your organisation.

Prior versions were built and digitally signed by Sun.  AOO 3.4 did
not have an Authenticode digital signature.  Instead Apache projects
provide a detached PGP/GPG digital signature.  However, these
signatures are more understood in the Linux admin world, and are not
recognized by Microsoft Windows.  Thus the warning you see with AOO
3.4.  We're looking into providing an Authenticode signature for
future releases to avoid this issue.

> Then I did a checksum and it did not match.
> ( Should be:  a919dc6c480feee7748a63d5d4d03f85
>  Apache_OpenOffice_incubating_3.4.0_Win_x86_langpack_en-US.exe
>  But is:           089966F62006BA94E540A9BBB3E6056A
> C:\Users\Koblenz\Downloads\Apache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe)

Where are you finding the "should be" checksums?  The checksum for the
en_US version is here:

I just downloaded the en_US version of AOO 3.4 and the md5 checksums matched.

> Could be that you have two different files.  But it is suspicious.
> (I did the same check with the Dutch files)
> Do you have a download link that I can totally trust?
> And - very important - should the publisher be known?

The checksum files are on our most trusted server.  So those come
directly from Apache, not via an operator of a mirror. There is always
the theoretical possibility of a rogue mirror operator, or corruption
caused during or after your download.  But if you verify against the
checksums hosted on, you protect against that.


> Regards,
> Jeroen
> Holland

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message