sha checksum - file integrity

[Abyssgrowth]

Aknowledgements

• [X] I have checked that there is no other issue describing the same or similar problem that I currently have, regardless if it has been closed or open.

• [ ] This bug affects Discord website.

• [ ] This issue is confirmed to be reproduceable when WebCord is packaged on at least all three latest supported Electron major releases.

• [ ] This issue is reproduceable in Chrome, Chromium or any Chromium-based browser, e.g Brave or Edge (please write in Additional Context which browser you have used if it is neither Chrome nor unmodified Chromium).

• [ ] There are no fixes done to master which resolves this issue.

• [ ] My issue describes one of the unstable and/or not fully implemented features.

• [ ] I have found a workaround to mitigate or temporarily fix this issue in affected releases (please write it in Additional context section below).

Operating System / Platform

🪟️ Windows

Operating system architecture

x64 (64-bit Intel/AMD)

Electron version

22.0.0

Application version

4.0.0

Bug description

Not a bug really but, could you please include a sha checksum 256 or 512 so we can verify the downloaded file isn't malicious?

Additional context

No response

[SpacingBat3]

Not a bug really but, could you please include a sha checksum 256 or 512 so we can verify the downloaded file isn't malicious?

That should be then filled with feature request template (please do not report them as bugs).

Also WebCord shows checksum for ASAR files. Checksum will also not protect application from being modified by potential malicious actors, this could be done most reliably with application signing. This is currently possible on Linux packages (.deb etc.) where supported and macOS (in Electron docs I saw it had some kind of ASAR file verification support, but IDK if that's enough), I dunno if Windows has any reliable built-in way of signing Electron apps like that through (you can sign Electron binary, but app.asar is unlikely to be protected in any way – if it would be, no one would be able to mod Discord that easily in the past/present).

[Abyssgrowth]

apologies, should have labeled it as feature request not a bug. from what i know, the sha-checksum only grants that the downloaded file matches the one on the source-website, this does not protect against malicious actors who have access to the actual source-website as they could modify the file and it will go unnoticed as long the checksum matches. But even signatures might not be a gurantee for safety, remember recently nvidia drivers where infected and this was while the signature was intact because some actors got direct access to nvidias infrastructure? Anyways i probably should pay close attention to signatures and not only the checksum, thanks for the reminder. Actually i'm not sure how this works, on windows we can inspect file properties with a rightklick on said file, then how can i be sure the signature is legit?

[Abyssgrowth]

Or maybe i should ask, how do you personally ensure security on your systems when it comes to downloading and installing software?

[SpacingBat3]

Or maybe i should ask, how do you personally ensure security on your systems when it comes to downloading and installing software?

As I use Arch Linux as a daily driver, most important software I install is protected using the PGP signature bundled in the packages. Only packages I self-package from AUR aren't always secured by signature and -git packages aren't even verified using checksum.

I believe checksum might also be useless as malicious actor prevention if it is downloaded from the same source as the file itself. It really make sense when sharing files by mirrors or torrents, so you can validate the data you received from untrusted sources with downloaded checksums from secure/upstream sources. But they won't make sense in case of WebCord for that job if you both download checksums and binaries from the same source.

Actually i'm not sure how this works, on windows we can inspect file properties with a rightklick on said file, then how can i be sure the signature is legit?

On Windows, software is signed using the certificate bought by developer from one of the resellers. You can also self-sign software, but that would require importing such certificate. Also SmartScreen actually displays a dialog when running unsigned software (in fact this is why WebCord triggers it). I'm not sure through if and how bought certificates protect anyone from masking as another developer (I'm unexperienced with signing software on Windows).

On Linux, PGP is designed for self-signing in mind. The security of software signed with PGP depends on your trust to the given public key – importing it doesn't necessarily mean it will be trusted by the OS. The signatures also have to be shared through the secure medium in order to guarantee users will receive the correct key – PGP has a concept of web of trust for that. So as long as you trust the specific developer and have the correct key, you can validate the signatures and tell if these were distributed using the specific key or not.

FYI, there's much more concepts around the security of the distributed software than checksum hashes and software signing – see e.g. binary transparency concept.

[Abyssgrowth]

Archlinux seems like a great choice, and alot to learn.

So you are saying, i can spare my time when it comes to comparing checksums when i get the checksum from the same site as the file itself, alright that sounds logical. I tought, when downloading software from any original source it might still be worth comparing the checksum because a malicious actor like my internet service provider (forced by law) to inject a state-level-trojan into the file i'm downloading while it is being downloaded (from the original source..) and so i will have a malicious file even when i got it from the original source but the checksum won't match if the ISP modified the file. Sure if the website hosting the software itself is compromised then checksums are entirely useless.

I've deleted smartscreen.exe it's just a silly censorship measure of microsoft... So didn't even know it gets triggered by webcord.

The sources you sent seem a bit complicated to be honest, i'd rather just learn how to verify file certificates/integrity instead of understanding the process itself... not the best approach but it'll do the job

For windows i found PGP4win, no idea if i need that software for what i want to achive. Anyways, in my last reply i mentioned a rightklick on whatever software will provide some information, so i took a screenshot, in this example: protonvpn. And now? Just to clarify, im thankful for all the information you provided to me and i see that your're just here because of webcord so when my questions don't really fit here i understand that.

[Abyssgrowth]