[pca] how to verify md5(from CHECKSUMS file) of patches downloaded

Martin Paul martin at par.univie.ac.at
Thu Dec 16 09:52:06 CET 2010 

Michele Vecchiato wrote:
> Ok, I'm a paranoid person ;-), but how does pca to verify that the patch
> downloaded from Oracle site is not corrupt?

Simple answer - it doesn't. I have made experiments with JAR patches in the past 
(which are cryptographically signed), but the procedures to verify the 
signatures weren't stable enough to integrate them into PCA.

A (low) level of protection against corruption is that PCA checks whether unzip 
can extract the file successfully. No idea against how much corruption this 
protects, but it's better than nothing.

> Now where am I wrong? Because i don't understand that there are over
> 2130 patches in my cache pca-proxy server, of 145 can not find the MD5
> file checksums, and 10 have a different MD5 (patch corrupted) from that
> contained in the file CHECKSUMS.

I have run the same test. Of 4387 patch zip files on my proxy 161 are missing in 
the CHECKSUMS file and 1662 (!) have a different checksum.

The reaons (or at least one reason) for differing checksums is that Sun/Oracle 
sometimes changes a patch zip file's contents after first publishing, like 
updating README files. As far as I know any functional change would trigger a 
new revision.

An example:

> 127127-11.zip MD5 form CHECKSUMS file: c2bf6c07976f113148a0f75a762f2140
> from verify: a1ce22de9e3fe544d7cffc2de4070a0c

On my proxy this file has d232b08f4cee8f0507bf720edacc1016 and is from "Apr 25 
2008". A fresh download of the file from Oracle is from "Aug 20  2009". 
Comparing the contents I see that LEGAL_LICENSE.TXT and README.127127-11 are 
different.

Now why the checksum in the CHECKSUM doesn't match the file currently available 
on Oracle's server - no idea.

IMHO, Oracle should include the MD5 checksums into patchdiag.xref. Then it would 
be easy for a tool like PCA to verify the checksum after download. It could also 
check whether an already existing ZIP file matches the checksum in the xref file 
and force a download if not, to ensure that you always get the most recent copy.

I'm pretty sure that Oracle won't listen, though. And I'm definitely not keen to 
add a comparable feature to PCA based on the current contents of the CHECKSUMS 
file. I would end up having to verify manually all those discrepancies to see 
what's wrong.

Martin.

More information about the pca mailing list