The new "wp plugin verify-checksums" command with WP-CLI 1.5.0 has been generally working OK for me (it discovered some plugins where the author had released two different codebases with the same version - arrgh! - which I reported to their respective support forums).
However, I've just tried it on an installation of the "Document Gallery" 4.4.3 plugin from:
https://wordpress.org/plugins/document-gallery/
and I get this back from "wp plugin verify-checksums document-gallery" (running on CentOS 6 with PHP 5.6.33):
+------------------+-----------------------------+-------------------------+
| plugin_name | file | message |
+------------------+-----------------------------+-------------------------+
| document-gallery | README.txt | Checksum does not match |
+------------------+-----------------------------+-------------------------+
I then compared that installed plugin dir with an unpacked copy of document-gallery.4.4.3.zip using "diff -rc" and the two were identical, including README.txt. So either it's a bug in WP-CLI or the checksums are wrong - not sure which it is...
BTW, what is wordpress.org's policy on version numbers of plugin updates? I'm certain that I've seen some plugins being repacked either with trivial changes (e.g. "Tested up to:" in readme.txt changed and nothing else) or big changes and being re-uploaded to wordpress.org with the same version number as the latest plugin release.
Surely an upload of a .zip with new contents should be considered a new release? If nothing else, it messes up the checksums and plugin updates for sites that have the "old" release installed (because the checksums will refer to the "new" version, which won't be updated to because it very dubiously has the same version number!).
The new "wp plugin verify-checksums" command with WP-CLI 1.5.0 has been generally working OK for me (it discovered some plugins where the author had released two different codebases with the same version - arrgh! - which I reported to their respective support forums).
However, I've just tried it on an installation of the "Document Gallery" 4.4.3 plugin from:
https://wordpress.org/plugins/document-gallery/
and I get this back from "wp plugin verify-checksums document-gallery" (running on CentOS 6 with PHP 5.6.33):
+------------------+-----------------------------+-------------------------+
| plugin_name | file | message |
+------------------+-----------------------------+-------------------------+
| document-gallery | README.txt | Checksum does not match |
+------------------+-----------------------------+-------------------------+
I then compared that installed plugin dir with an unpacked copy of document-gallery.4.4.3.zip using "diff -rc" and the two were identical, including README.txt. So either it's a bug in WP-CLI or the checksums are wrong - not sure which it is...
BTW, what is wordpress.org's policy on version numbers of plugin updates? I'm certain that I've seen some plugins being repacked either with trivial changes (e.g. "Tested up to:" in readme.txt changed and nothing else) or big changes and being re-uploaded to wordpress.org with the same version number as the latest plugin release.
Surely an upload of a .zip with new contents should be considered a new release? If nothing else, it messes up the checksums and plugin updates for sites that have the "old" release installed (because the checksums will refer to the "new" version, which won't be updated to because it very dubiously has the same version number!).