Incorrect SHA256 on Linux download page #6094
Description
This is from the website:
This is my third time redownload:
What happened then? First time I downloaded the bin file from browser I couldn't do it properly (click and browser save it to locale). It looked like this:
Still I could try to download it with Ctrl + S. However, due to worry about file quality by downloading this way I double checked with sha but result is like the image above. It doesn't match. So I attempted to do that again with curl:
curl -o duckdb.zip https://install.duckdb.org/v1.4.1/duckdb_cli-linux-amd64.zipThe sha of downloaded file is still very consistent to the first time download. So I went stupid and tried again with... curl... The result is as expected. SHA didn't match. Could you guy verify if I was assaulted (🤪) by the infamous middle man attack or the site has some problem? Thanks
Additional info about broken download link:
HTTP/2 200
date: Mon, 03 Nov 2025 09:21:43 GMT
content-type: text/plain
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"..."}]}
nel: {"report_to":"...","success_fraction":0.0,"max_age":...}
server: cloudflare
cf-cache-status: HIT
last-modified: Fri, 17 Oct 2025 11:17:50 GMT
vary: Accept-Encoding
age: ...
cache-control: max-age=...
etag: ...
content-encoding: br
cf-ray: ...
I can tell that setting content-type to text/plain will make browser display the file at all cost (which harm user pc as well since it cost 18.2MB ram at once).
Update on 03·Nov·25
I tried to download file once more time. This time the source was directly from the release page of Github: https://github.com/duckdb/duckdb/releases
The result is come out nicely. Everything match. I think the site could be a little bit broken (if we don't want to say it has been compromised)