This looks like a glitch in our release process. The timestamps in the zip (and sha256 file) on downloads.apache.org have changed but nothing else. I'll see what I can do to correct this.
In the meantime you can use the checksum at:
https://dl.bintray.com/groovy/maven/apache-groovy-binary-2.4.19.zip.sha256


On Fri, Apr 10, 2020 at 7:31 AM alessio <alessino@gmail.com> wrote:
Hello,

either the binaries have been compromised or an incorrect hash was published.

The hash published at
https://downloads.apache.org/groovy/2.4.19/distribution/apache-groovy-binary-2.4.19.zip.sha256
is

  b6a6a7819bd7e222756f9dba1d62d933f217d5e491f0e82ddddfde9df8222f54

whereas the actual hash of
https://dl.bintray.com/groovy/maven/apache-groovy-binary-2.4.19.zip is

  24517ee43881ee52ccd52996ac3d298f0eb000ac36d59d59c2e5ef0c3ef9eb88