Description
The SHA1 checksums for the download of API and Core differ based on whether they were downloaded from the core site or downloaded from Maven central.
From download https://dlcdn.apache.org/logging/log4j/2.17.2/apache-log4j-2.17.2-bin.zip
Algorithm Hash Path --------- ---- ---- SHA1 00AE567DABF40EEC11027B8BE59EBDCA65A5AD06 log4j-api-2.17.2.jar SHA1 70BFABC6EF2D35188EE4615BEBC1416080C6F76F log4j-core-2.17.2.jar
From maven https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.2/ and https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.2/
Algorithm Hash Path --------- ---- ---- SHA1 F42D6AFA111B4DEC5D2AEA0FE2197240749A4EA6 log4j-api-2.17.2.jar SHA1 FA43BA4467F5300B16D1E0742934149BFC5AC564 log4j-core-2.17.2.jar
Using Beyond Compare to compare the JAR files, all of the content is identical except for the MANIFEST.MF file.
The differences there are a singular difference in Bnd-LastModified. For example, API is
Bnd-LastModified: 1645648089746
vs
Bnd-LastModified: 1645647755961
This has resulted in validation errors in Snyk where we're bundling it in as part of a larger Eclipse feature plugin.