Major Description
The SHA1 checksums for the download of API and Core differ based on whether they were downloaded from the core site or downloaded from Maven central.
From download https://dlcdn.apache.org/logging/log4j/2.17.2/apache-log4j-2.17.2-bin.zip
Algorithm Hash Path --------- ---- ---- SHA1 00AE567DABF40EEC11027B8BE59EBDCA65A5AD06 log4j-api-2.17.2.jar SHA1 70BFABC6EF2D35188EE4615BEBC1416080C6F76F log4j-core-2.17.2.jar
From maven https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.2/ and https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.2/
Algorithm Hash Path --------- ---- ---- SHA1 F42D6AFA111B4DEC5D2AEA0FE2197240749A4EA6 log4j-api-2.17.2.jar SHA1 FA43BA4467F5300B16D1E0742934149BFC5AC564 log4j-core-2.17.2.jar
Using Beyond Compare to compare the JAR files, all of the content is identical except for the MANIFEST.MF file.
The differences there are a singular difference in Bnd-LastModified. For example, API is
Bnd-LastModified: 1645648089746
vs
Bnd-LastModified: 1645647755961
This has resulted in validation errors in Snyk where we're bundling it in as part of a larger Eclipse feature plugin.