So to satisfy my curiosity (earlier today) I put the following together in a few minutes, excuse the mess:

#!/usr/bin/perl

use strict;
use warnings;
use CPAN::Mirrors;
use LWP::UserAgent;
use Digest::SHA qw(sha256_hex);

my $sha256  = '8e3fccbf4c7e87c2df7c1e756fc17666a708bab8b36fd2004163756
+51d9b86e1';
my $path    = 'authors/id/R/RS/RSCHUPP/PAR-Packer-1.047.tar.gz';
my $mirrors = CPAN::Mirrors->new( 'MIRRORED.BY' );
my @mirrors = $mirrors->mirrors();

my ( @goodsha, @badsha, @problemmirror );
my $ua = LWP::UserAgent->new();

foreach my $cpan ( @mirrors ){
  if ( $cpan->{http} ){
    print "Checking Mirror: $cpan->{http}\n";
    my $url = $cpan->{http} . $path;
    my $res = $ua->get( $url ); 
    if ( $res->is_success ){
      my $file = $res->decoded_content( charset => 'none' );
      my $file_sha = sha256_hex( $file );
      if ( $file_sha eq $sha256 ){
        print "Matching SHA\n";
        push @goodsha, $url; 
      }else{
        print "Warning: SHA does not match!\n";
        print "Got     : $file_sha\nExpected: $sha256\n";
        push @badsha, $url;
      }
    }else{
      print "Couldn't download $url\n";
      push @problemmirror, $url;
    }
  }
}

print "'Bad' mirrorsn\n\n" . join( "\n", @badsha ) if ( @badsha );
print "\n'Unreachable' mirrors\n\n" . join( "\n", @problemmirror ) if 
+( @problemmirror );

[download]

A wget http://www.cpan.org/MIRRORED.BY, or otherwise having a copy in the same directory as this script is required. I get a few 'Unreachable' URLs (perhaps connectivity issues from here to there, rather than genuine downtime, see also http://mirrors.cpan.org/, the same 4 at time of writing), and a few 'BAD' SHAs. On inspection these seem to be sending the value associated with 'sha256-ungz' (as listed in CHECKSUMS), as yet I'm unsure why.

Obviously this does not take into account PPM repos, which I gave up on years ago for unrelated reasons.

Update: For clarity, the script downloads PAR-Packer-1.047.tar.gz from each mirror and calculates the SHA256 and validates it against a known good SHA for the file. For a few of the sites the download of the tar.gz results in a different SHA:

Checking Mirror: http://mirrors.gossamer-threads.com/CPAN/
Warning: SHA does not match!
Got     : d339d474e8a87ceb3e0ad456acd13249e7e80eea0d735aed3a32108bdcfc
+85bd
Expected: 8e3fccbf4c7e87c2df7c1e756fc17666a708bab8b36fd200416375651d9b
+86e1

[download]

Note that d339d474e8a87ceb3e0ad456acd13249e7e80eea0d735aed3a32108bdcfc85bd is the sha256-ungz SHA: 'sha256-ungz' => 'd339d474e8a87ceb3e0ad456acd13249e7e80eea0d735aed3a32108bdcfc85bd', (from CHECKSUMS)

In reply to Re^6: PAR::Packer generated EXE that was detected as a trojan... by marto
in thread PAR::Packer generated EXE that was detected as a trojan... by vitoco

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.