Additionally I downloaded the file in Firefox, Chrome, Internet Explorer and Edge
Chrome, Firefox and IE gave me a MD5 of D87069632A808A5D05A51D91E5C6E682
Edge gave me a MD5 of 0EE9A468F4C766058F1EB5AECD181403
So I got to thinking.. maybe theres something screwy in the network...
'cos in theory there is no way a HTTPS transaction could be altered except for
AFTER it has been received and confirmed correct.... I fired up an instance of
TAILS in a VM ( TAILS uses TOR, effectively bypassing any network highjinks our
company routers/firewalls may be performing ). inside TAILS I wget downloaded
the file, and the MD5 was comming back as the correct 3a6903f95253b04de6dcd7c36c21a6d5
For my location I am in NZ, a tracert to downloads.arduino.cc returns
C:\Users\TechSupport>tracert downloads.arduino.cc
Tracing route to downloads.arduino.cc.cdn.cloudflare.net [104.20.190.47]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 10.123.162.1
2 1 ms * 153 ms aecomfw1.?????.?????l [???.???.???.???]
3 2 ms 1 ms 1 ms tengige0-0-2-1-992.chrev-rt1.fx.net.nz [131.203.252.217]
4 * * * Request timed out.
5 16 ms 15 ms 15 ms callplus1.ape.nzix.net [192.203.154.46]
6 15 ms 15 ms 15 ms cloudflare.ape.nzix.net [192.203.154.51]
7 17 ms 17 ms 80 ms 104.20.190.47
Trace complete.
the .sig file is attached, I get a identical .sig if I download from windows or over TOR.
but I get a different JSON if I'm in windows or TOR... Perhaps cloudfare has pushed out
the new .sig file, but perhaps not correctly pushed down the .json file?
package_indexFIREFOX.json.sig.txt (543 Bytes)