Feature Request: Include hashed checksums for releases

[nero-dv]

Is there an existing issue for this feature request?

• [X] I have searched the existing issues

Is your feature request related to a problem?

Firstly, thank you for your continuous efforts in developing and improving OrcaSlicer. Your work is greatly appreciated by the community.

I am writing to propose two security enhancements for the OrcaSlicer software:

**1. Include Hashed Checksums with Releases

2. Digitally Sign Executables**

Related Open Issues:

• Issue #6534: There have been concerns about domain squatting and users being redirected to suspected malicious files. Including checksums can mitigate risks by enabling users to confirm the authenticity of the files.
• Issue #4798: The software is being flagged as suspicious by Microsoft's software install service due to the lack of a digital signature.

Benefits:

• Security: Users can verify downloads, ensuring they haven't been tampered with.
• Trust: Digitally signed executables are less likely to be flagged by antivirus software.
• Professionalism: Enhance the project's credibility and user confidence.

Implementing these measures will enhance the security and integrity of OrcaSlicer distributions. It will protect both the maintainers and the users from potential security threats.

Thank you for considering this feature request. Your dedication to improving OrcaSlicer is highly valued.

Which printers will be beneficial to this feature?

All

Describe the solution you'd like

Include Hashed Checksums with Releases

Providing hashed checksums (e.g., SHA-256) alongside release files allows users to verify the integrity of the downloads, ensuring that the files have not been tampered with.

Creating Checksums:

Windows:

In PowerShell, navigate to the directory containing the only the released installer binaries, then generate the SHA-256 checksums for all files, then include the checksums.txt file with your release.

  Get-ChildItem * | Get-FileHash -Algorithm SHA256 | Format-Table -AutoSize | Out-File checksums.txt

Linux:

  sha256sum * > checksums.txt

macOS:

  shasum -a 256 * > checksums.txt

Digitally Sign Executables

Digitally signing executables assures users of the software's authenticity and integrity, reducing security warnings during installation.

Digitally Signing Executables:

Windows:

If not already done, purchase a certificate from a trusted Certificate Authority (CA) like DigiCert, Comodo, or GlobalSign. You would then need to complete the validation process as per the CA's instructions.

• Sign the Executable:

  • Install the Windows SDK to access signtool.exe.
  • Use the following command to sign:

signtool sign /f "path\to\certificate.pfx" /p "certificate_password" /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 /v "path\to\executable.exe"

• Verify the signature:

signtool verify /pa /v "path\to\executable.exe"

Linux:

• Sign with PGP:

  • Generate a GPG key if you don't have one:

gpg --full-generate-key

• Sign the binary or package:

gpg --detach-sign --armor yourpackage.tar.gz

• Provide the public key for users to verify the signature.

macOS:

• Obtain an Apple Developer ID Certificate:

  • Enroll in the Apple Developer Program.
  • Download your Developer ID Application certificate via Xcode or Apple Developer portal.

• Sign the Application using the codesign tool:

codesign --deep --force --verify --verbose --sign "Developer ID Application: Your Developer Name (Team ID)" /path/to/YourApp.app

• Notarize the app (recommended for macOS Catalina and later):

xcrun altool --notarize-app --primary-bundle-id "com.yourcompany.yourapp" --username "your@appleid.com" --password "app-specific-password" --file /path/to/YourApp.app

• Staple the notarization ticket:

xcrun stapler staple /path/to/YourApp.app

Describe alternatives you've considered

No response

Additional context

No response

[ShaneDelmore]

This feels like a timely suggestion given Orcaslicer.net confusing people.