Need Help Verifying Authenticity of Fabric Loader .jar File With SHA Checksums

[nyctfall]

Verifying Authenticity of Fabric Loader .jar Files With SHA Checksums

Hello FabricMC community!

Thank you for your time and help in advance!
I'm a very security conscious sys-admin and developer, so I always verify the software I run, or I build from source. I've been a bit busy, and I'm new to the Java build tool ecosystem.
So I did some cursory searching for any way of verifying that the .jars downloaded from the official site are authentic and haven't been modified from what's in the repo (e.g.: by a man-in-the-middle attack).

Since I couldn't find any checksums for any version online, I'm posting them here for a dev or another user to be able to confirm and cross reference if my results are correct.

---

My version, Minecraft Server Launcher by CLI Download:

• Minecraft Version: 1.20.1
• Fabric Loader Version: 0.15.11
• Installer Version: 1.0.1

---

The site I downloaded from:
% curl -OJ --output-dir Downloads/ https://meta.fabricmc.net/v2/versions/loader/1.20.1/0.15.11/1.0.1/server/jar

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  164k    0  164k    0     0  1604k      0 --:--:-- --:--:-- --:--:-- 1612k

The checksum using the SHA-256 algorithm:
% sha256sum Downloads/fabric-server-mc.1.20.1-loader.0.15.11-launcher.1.0.1.jar

fe3f70233612a0ff9911f791252b11c168614cd91332bfaf378d145fdb3e5623  fabric-server-mc.1.20.1-loader.0.15.11-launcher.1.0.1.jar

I checked the file with ClamAV engine version: 0.103.11, which didn't detect any malware. So I used zipinfo to get more details about the file's contents:
% zipinfo -lhtz Downloads/fabric-server-mc.1.20.1-loader.0.15.11-launcher.1.0.1.jar

Archive:  Downloads/fabric-server-mc.1.20.1-loader.0.15.11-launcher.1.0.1.jar
Zip file size: 168436 bytes, number of entries: 116
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 META-INF/
-rw----     2.0 fat      146 bx      109 defN 24-Apr-09 18:53 META-INF/MANIFEST.MF
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/fabricmc/
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/fabricmc/installer/
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/fabricmc/installer/client/
-rw----     2.0 fat    12557 bx     5579 defN 24-Apr-09 18:53 net/fabricmc/installer/client/ClientHandler.class
-rw----     2.0 fat     4620 bx     2089 defN 24-Apr-09 18:53 net/fabricmc/installer/client/ProfileInstaller.class
-rw----     2.0 fat     1552 bx      720 defN 24-Apr-09 18:53 net/fabricmc/installer/client/ProfileInstaller$LauncherType.class
-rw----     2.0 fat     3910 bx     1888 defN 24-Apr-09 18:53 net/fabricmc/installer/client/ClientInstaller.class
-rw----     2.0 fat     2018 bx     1088 defN 24-Apr-09 18:53 net/fabricmc/installer/LoaderVersion.class
-rw----     2.0 fat     1205 bx      575 defN 24-Apr-09 18:53 net/fabricmc/installer/ServerLauncher$LaunchData.class
-rw----     2.0 fat     9996 bx     4765 defN 24-Apr-09 18:53 net/fabricmc/installer/ServerLauncher.class
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/fabricmc/installer/server/
-rw----     2.0 fat     3357 bx     1566 defN 24-Apr-09 18:53 net/fabricmc/installer/server/MinecraftServerDownloader.class
-rw----     2.0 fat    15313 bx     7007 defN 24-Apr-09 18:53 net/fabricmc/installer/server/ServerPostInstallDialog.class
-rw----     2.0 fat    14428 bx     6519 defN 24-Apr-09 18:53 net/fabricmc/installer/server/ServerInstaller.class
-rw----     2.0 fat     6703 bx     2943 defN 24-Apr-09 18:53 net/fabricmc/installer/server/ServerHandler.class
-rw----     2.0 fat     1321 bx      704 defN 24-Apr-09 18:53 net/fabricmc/installer/server/ServerHandler$1.class
-rw----     2.0 fat    13550 bx     6529 defN 24-Apr-09 18:53 net/fabricmc/installer/Handler.class
-rw----     2.0 fat     6295 bx     3018 defN 24-Apr-09 18:53 net/fabricmc/installer/InstallerGui.class
-rw----     2.0 fat     5348 bx     2668 defN 24-Apr-09 18:53 net/fabricmc/installer/Main.class
-rw----     2.0 fat      236 bx      167 defN 24-Apr-09 18:53 net/fabricmc/installer/ServerLauncher$1.class
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/fabricmc/installer/launcher/
-rw----     2.0 fat      386 bx      247 defN 24-Apr-09 18:53 net/fabricmc/installer/launcher/MojangLauncherHelper.class
-rw----     2.0 fat     3789 bx     1899 defN 24-Apr-09 18:53 net/fabricmc/installer/launcher/NativesHelper.class
-rw----     2.0 fat      636 bx      351 defN 24-Apr-09 18:53 net/fabricmc/installer/launcher/MojangLauncherHelperWrapper.class
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 net/fabricmc/installer/util/
-rw----     2.0 fat     5232 bx     2246 defN 24-Apr-09 18:53 net/fabricmc/installer/util/FabricService.class
-rw----     2.0 fat     3370 bx     1519 defN 24-Apr-09 18:53 net/fabricmc/installer/util/ArgumentParser.class
-rw----     2.0 fat     1864 bx     1039 defN 24-Apr-09 18:53 net/fabricmc/installer/util/CrashDialog.class
-rw----     2.0 fat     3274 bx     1426 defN 24-Apr-09 18:53 net/fabricmc/installer/util/MetaHandler.class
-rw----     2.0 fat      890 bx      488 defN 24-Apr-09 18:53 net/fabricmc/installer/util/InstallerProgress$1.class
-rw----     2.0 fat      524 bx      262 defN 24-Apr-09 18:53 net/fabricmc/installer/util/FabricService$Handler.class
-rw----     2.0 fat    10054 bx     5104 defN 24-Apr-09 18:53 net/fabricmc/installer/util/Utils.class
-rw----     2.0 fat     1163 bx      622 defN 24-Apr-09 18:53 net/fabricmc/installer/util/LauncherMeta$Version.class
-rw----     2.0 fat     1360 bx      714 defN 24-Apr-09 18:53 net/fabricmc/installer/util/Reference.class
-rw----     2.0 fat     1558 bx      816 defN 24-Apr-09 18:53 net/fabricmc/installer/util/VersionMeta.class
-rw----     2.0 fat     2093 bx      887 defN 24-Apr-09 18:53 net/fabricmc/installer/util/CompletableHandler.class
-rw----     2.0 fat      861 bx      445 defN 24-Apr-09 18:53 net/fabricmc/installer/util/NoopCaret.class
-rw----     2.0 fat     1719 bx      859 defN 24-Apr-09 18:53 net/fabricmc/installer/util/Library.class
-rw----     2.0 fat     1782 bx      897 defN 24-Apr-09 18:53 net/fabricmc/installer/util/OperatingSystem.class
-rw----     2.0 fat      507 bx      311 defN 24-Apr-09 18:53 net/fabricmc/installer/util/InstallerProgress.class
-rw----     2.0 fat      886 bx      493 defN 24-Apr-09 18:53 net/fabricmc/installer/util/MetaHandler$GameVersion.class
-rw----     2.0 fat     2311 bx     1125 defN 24-Apr-09 18:53 net/fabricmc/installer/util/Utils$1.class
-rw----     2.0 fat      767 bx      459 defN 24-Apr-09 18:53 net/fabricmc/installer/util/VersionMeta$Download.class
-rw----     2.0 fat     3781 bx     1593 defN 24-Apr-09 18:53 net/fabricmc/installer/util/LauncherMeta.class
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 lang/
-rw----     2.0 fat     2977 bx     1175 defN 24-Apr-09 18:53 lang/installer_fi_fi.properties
-rw----     2.0 fat     3253 bx     1356 defN 24-Apr-09 18:53 lang/installer_ko_kr.properties
-rw----     2.0 fat     2825 bx     1050 defN 24-Apr-09 18:53 lang/installer.properties
-rw----     2.0 fat     3182 bx     1282 defN 24-Apr-09 18:53 lang/installer_pl_pl.properties
-rw----     2.0 fat     4143 bx     1482 defN 24-Apr-09 18:53 lang/installer_uk_ua.properties
-rw----     2.0 fat     3950 bx     1441 defN 24-Apr-09 18:53 lang/installer_ru_ru.properties
-rw----     2.0 fat     2955 bx     1128 defN 24-Apr-09 18:53 lang/installer_ms_my.properties
-rw----     2.0 fat     2743 bx     1262 defN 24-Apr-09 18:53 lang/installer_zh_cn.properties
-rw----     2.0 fat     3681 bx     1381 defN 24-Apr-09 18:53 lang/installer_ja_jp.properties
-rw----     2.0 fat     2997 bx     1165 defN 24-Apr-09 18:53 lang/installer_it_it.properties
-rw----     2.0 fat     3237 bx     1240 defN 24-Apr-09 18:53 lang/installer_fr_fr.properties
-rw----     2.0 fat     2901 bx     1156 defN 24-Apr-09 18:53 lang/installer_et_ee.properties
-rw----     2.0 fat     2874 bx     1290 defN 24-Apr-09 18:53 lang/installer_zh_tw.properties
-rw----     2.0 fat     3231 bx     1248 defN 24-Apr-09 18:53 lang/installer_vi_vn.properties
-rw----     2.0 fat     3002 bx     1172 defN 24-Apr-09 18:53 lang/installer_pt_br.properties
-rw----     2.0 fat     2495 bx      942 defN 24-Apr-09 18:53 lang/installer_ar_ar.properties
-rw----     2.0 fat     3168 bx     1284 defN 24-Apr-09 18:53 lang/installer_de_de.properties
-rw----     2.0 fat     3202 bx     1233 defN 24-Apr-09 18:53 lang/installer_es_es.properties
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 META-INF/maven/
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 META-INF/maven/org.sharegov/
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 META-INF/maven/org.sharegov/mjson/
-rw----     2.0 fat      126 bx      119 defN 17-Feb-27 19:51 META-INF/maven/org.sharegov/mjson/pom.properties
-rw----     2.0 fat     5794 bx     1354 defN 17-Feb-27 00:21 META-INF/maven/org.sharegov/mjson/pom.xml
-rw----     2.0 fat        0 bx        2 defN 24-Apr-09 18:53 mjson/
-rw----     2.0 fat      172 bx      145 defN 17-Feb-26 21:22 mjson/Json$1.class
-rw----     2.0 fat     7909 bx     3871 defN 17-Feb-26 21:22 mjson/Json$ArrayJson.class
-rw----     2.0 fat     1803 bx      855 defN 17-Feb-26 21:22 mjson/Json$BooleanJson.class
-rw----     2.0 fat     4926 bx     2399 defN 17-Feb-26 21:22 mjson/Json$DefaultFactory.class
-rw----     2.0 fat      720 bx      401 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$1.class
-rw----     2.0 fat     1320 bx      677 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$2.class
-rw----     2.0 fat     1752 bx      938 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckAny.class
-rw----     2.0 fat     2767 bx     1506 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckArray.class
-rw----     2.0 fat     1699 bx      904 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckEnum.class
-rw----     2.0 fat     1450 bx      747 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckNot.class
-rw----     2.0 fat     1937 bx     1031 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckNumber.class
-rw----     2.0 fat     2334 bx     1084 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckObject$CheckPatternProperty.class
-rw----     2.0 fat     1304 bx      631 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckObject$CheckProperty.class
-rw----     2.0 fat     3798 bx     1842 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckObject.class
-rw----     2.0 fat     1925 bx     1066 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckOne.class
-rw----     2.0 fat     1964 bx     1017 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckPropertyDependency.class
-rw----     2.0 fat     1477 bx      769 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckPropertyPresent.class
-rw----     2.0 fat     1208 bx      611 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckSchemaDependency.class
-rw----     2.0 fat     2075 bx     1118 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckString.class
-rw----     2.0 fat     2145 bx     1170 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$CheckType.class
-rw----     2.0 fat      370 bx      222 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$Instruction.class
-rw----     2.0 fat     1021 bx      552 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsArray.class
-rw----     2.0 fat     1029 bx      555 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsBoolean.class
-rw----     2.0 fat     1130 bx      599 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsInteger.class
-rw----     2.0 fat     1017 bx      553 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsNull.class
-rw----     2.0 fat     1025 bx      551 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsNumber.class
-rw----     2.0 fat     1025 bx      550 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsObject.class
-rw----     2.0 fat     1025 bx      549 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$IsString.class
-rw----     2.0 fat     1579 bx      790 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema$Sequence.class
-rw----     2.0 fat    10472 bx     4714 defN 17-Feb-26 21:22 mjson/Json$DefaultSchema.class
-rw----     2.0 fat     3794 bx     2153 defN 17-Feb-26 21:22 mjson/Json$Escaper.class
-rw----     2.0 fat      411 bx      234 defN 17-Feb-26 21:22 mjson/Json$Factory.class
-rw----     2.0 fat      321 bx      196 defN 17-Feb-26 21:22 mjson/Json$Function.class
-rw----     2.0 fat      497 bx      321 defN 17-Feb-26 21:22 mjson/Json$MalformedJsonException.class
-rw----     2.0 fat     1294 bx      608 defN 17-Feb-26 21:22 mjson/Json$NullJson.class
-rw----     2.0 fat     2292 bx      967 defN 17-Feb-26 21:22 mjson/Json$NumberJson.class
-rw----     2.0 fat     7203 bx     3403 defN 17-Feb-26 21:22 mjson/Json$ObjectJson.class
-rw----     2.0 fat      434 bx      285 defN 17-Feb-26 21:22 mjson/Json$ParentArrayJson.class
-rw----     2.0 fat     8659 bx     4421 defN 17-Feb-26 21:22 mjson/Json$Reader.class
-rw----     2.0 fat      240 bx      169 defN 17-Feb-26 21:22 mjson/Json$Schema.class
-rw----     2.0 fat     3250 bx     1359 defN 17-Feb-26 21:22 mjson/Json$StringJson.class
-rw----     2.0 fat      799 bx      436 defN 17-Feb-26 21:22 mjson/Json$help.class
-rw----     2.0 fat    17245 bx     7342 defN 17-Feb-26 21:22 mjson/Json.class
-rw----     2.0 fat       49 bX       42 defN 24-May-03 13:26 install.properties
116 files, 324964 bytes uncompressed, 149875 bytes compressed:  53.9%

If the information needed to verify .jars is already available somewhere that I haven't found (e.g.: the Discord), I appologise, I was having difficulty acccessing it.

It would be much appreciated if checksums were provided somewhere more publicly accessible, like the GitHub repo's Releases page or the https://fabricmc.net/use/server/ main website download page. That way all users could more easily verify installations, and it would be indexed by search engines.

In the meantime, I hope this helps anyone else who's a bit squeamish when it comes to software commonly targeted by unauthentic copycats.

[apple502j]

Server download jars are generated by the API at runtime, so it makes little sense to provide checksums. (After all, attackers capable of compromising the API can change the checksum very easily.)

[nyctfall]

Hello @apple502j,

Thank you very much for your quick reply.

Question:

Would you (or anyone else) be able to please tell me if my fabric-server-mc.1.20.1-loader.0.15.11-launcher.1.0.1.jar checksum matches what everyone else gets for their .jar file?

[modmuss50]

The code included in the server launcher all comes from this jar here: https://maven.fabricmc.net/net/fabricmc/fabric-installer/1.0.1/fabric-installer-1.0.1-server.jar, we only add the install.properties file on meta.

You could extract both the jar you have, and the one I linked and compare the files contained within. Tashes and signatures can be found for the server launcher jar on maven here: https://maven.fabricmc.net/net/fabricmc/fabric-installer/1.0.1/

Unfortunately due to the way this works I dont think its feasible for us to sign the customised jar files.

[nyctfall]

Hello @modmuss50!

Thank you for the quick reply!

I will check the https://maven.fabricmc.net checksum. Then I'll most likely edit the maven fabric-installer-1.0.1-server.jar manually from there. Thank you for your help!

I also calculated that the https://meta.fabricmc.net would have 284,592+ checksums for every combination at most, or 800+ checksum for just the latest major versions of fabric-loader, fabric-installer and Minecraft. Indeed, that would be a infeasible amount of files.

[modmuss50]

Editing the file manually likely wont yeild the results you want, as the timestamps within the zip will be different.

[nyctfall]

I was looking for checksums for the fabric-installer .jars online, but the https://maven.fabricmc.net didn't come up in DuckDuckGo/Reddit search results for me.

Now that I have a way of verifying any installer version, I can just configure everything from there.