MD5 or SHA256 Hash/Checksum not matching sonar-scanner-cli ZIP file downloads

From this site: Index of /Distribution/sonar-scanner-cli
Also downloaded:
Also downloaded:

Neither checksum matches the download. Tried the same steps with the Windows zip file, just as a test, and those do not match either.

Used both the Win10 ‘Powershell’ method and the Win10 ‘certutil’ method to generate checksums on the downloaded sonar-scanner-cli ZIP files… which we use on all downloads. This is a rare time when the values do not match.


Hi Scott,

Welcome to the community.
I checked the checksums and signatures. All of them are valid:

❯ echo -en "$(cat" | md5sum -c - OK

❯ echo -en "$(cat" | sha1sum -c - OK

❯ echo -en "$(cat" | sha256sum -c - OK

❯ gpg --verify
gpg: assuming signed data in ''
gpg: Signature made Fr 07 Mai 2021 14:17:10 CEST
gpg:                using RSA key 2B1042677FD8190C7B9FC0DC2161D72E7DCD4258
gpg: Good signature from "SonarSource S.A. <>" [ultimate]

If these is not the case on your side, you need to assume that the files get manipulated during downloading them.


Thank you for the feedback.

This is quite odd. I (we) download 10-12 items per week, same process, same web-browsers, same everything… and in 13 years never had a mis-match with any product. Here, nothing matches, yet your process for testing shows all is OK.

I have tired 3 difference web-browsers, on different days, from different workstations… all my results are the same, and all are mismatches.


Extensive tests resulted in finding the issue.

Note that we are air-gapped, and we are downloading the ‘scanner-cli’ (for Linux) ZIP file to Internet-connected Win10 systems… verifying the checksum there… before then burning the SQ product to media to get them to the production (Linux) networks.

The reason for the mismatch on the checksum values (regardless of which checksum value was used) was:

The web-browser used to download the “sonar-scanner-cli” ZIP file… MATTERED!

  • Chrome: good download (Download size: 42,090 KB)
  • FireFox: bad download (Download size: 42,110 KB)
  • Edge: bad download (Download size: 42,110 KB)

There was a small size difference for all ZIP file downloads done with FFox or Edge as compared to the download via Chrome.

Oddly, the ZIP file itself was the only item that had a different sized download based on the browser used. The checksum files themselves (albeit simple text files) are all the same regardless of the browser used.

Edge and FFox produced identical results in their download of the ZIP file (and identical checksum values). But Chrome’s download differed and matched the staged MD5 and SHA256 checksum files.

1 Like

Hi @smhodgeNG

I am happy to hear, that you solved the issue.
On a linux machine I cannot confirm the issue in any of the listed browsers. It seems to be a specific issue within your setup.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.