I want to mirror the https://apps.nextcloud.com/api/v1/apps.json to my sever, as the same purpose as the topic , thus need to check if the mirrored file is correct.
I can find the “signature” value and “signatureDigest”. It is like this:
[user@localhosts ]$ cat apps.json | jq '.[] | select (.id == "spreed") | .releases[0]'
{
"version": "9.0.9",
"phpExtensions": [],
"databases": [],
"shellCommands": [],
"phpVersionSpec": "*",
"platformVersionSpec": ">=19.0.0 <20.0.0",
"minIntSize": 32,
"download": "https://github.com/nextcloud/spreed/releases/download/v9.0.9/spreed-9.0.9.tar.gz",
"created": "2021-02-22T09:48:45.108892Z",
"licenses": [
"agpl"
],
"lastModified": "2021-02-22T09:48:46.243527Z",
"isNightly": false,
"rawPhpVersionSpec": "*",
"rawPlatformVersionSpec": ">=19 <=19",
"signature": "FmMUjC/TLhHzpnALtXqo+DKVneHvvM1e8RmGMWQXTzm0GRk+PqLl3No0XQ+p/aAr\n6U8/Pp19xuoUk5DVR0d9XLrt26QWHOVgD8P8ldiWZCVq59xooaEjMeogvkd6osSX\nK7yf/kHUKjzQo76/LAK861ko/qlFuzAdNWp/0nd5HPhvdsDAFBJiYo26Nn9Sm4P2\nHYIkP4O+PuoDczfsw0hBxS7IVAARttNKas/aTYeVoIYRFn50LZHm5jiKjgvztWSx\nj6IUC+yRkJRkVVQK6fMH7gyDVEKOyR58EPc83UptZhWuSkYbtagSQqO9M6A/b8EV\nqgROSWfaXcfJ2IUv2+E6zBDKRfu06dMTeSg968Jyc8E5eZJuKXzVy5f9lt/NkjwG\npiel8AsUCKqNrmkxZV7wCi8NNMogisvyTQl+wiwN3XgB+ITk2TPNbXPBF4Khf5xJ\n67mS0bcXxJd9hlUBYYgVmyqXRsGC6EpUZC7mTJw5T3vuNpr4fJQ886lB11gh632M\nRw6rlQER5uSGtaCQht/wwTkIkL50LKnCTiuhMzKSr5U7sgrfqMxezK/jOVbTbrey\nY8mwUeWBKK3Yh+uHZ833xrUQNs925Z6O2ClKQLPFeEQXGofZztYMoVCE8PqNXDKH\nvRkKqF1iB7Kti37sh7egDRDjZT6rAACULF1yTrr9yCQ=",
"translations": {
"en": {
"changelog": "### Fixed\n- Fix collaboration resource options not loading\n [#5143](https://github.com/nextcloud/spreed/pull/5143)\n- Fixed a bug that would prevent attachments going into the Talk/ folder\n [#5080](https://github.com/nextcloud/spreed/pull/5080)"
}
},
"signatureDigest": "sha512"
}
It shows the algorithm is sha512.
However, the output of sha512sum is:
[user@localhosts ]$ sha512sum spreed-9.0.9.tar.gz
0bd11b79a085402b25837bcb7784362aa3ea9f7e30cfa5599347a9f7093d825e902a12a0a23c07df62109edf529f6074e6ddca0135e1f9d3ec06fdfe4dd3efa9 spreed-9.0.9.tar.gz
which are different with the “signature” in apps.json.
Then, how to calculate out the “signature” of the downloaded “*tar.gz” file?