Please sign your packaged releases or at least use a cryptographic hash that isn't broken

SpiderOak / Encryptr

Encryptr is a zero-knowledge cloud-based password manager / e-wallet powered by Crypton

GNU General Public License v3.0

1.58k stars 138 forks source link

Please sign your packaged releases or at least use a cryptographic hash that isn't broken #241

Closed psivesely closed 8 years ago

psivesely commented 8 years ago

MD5 is bad news.

devgeeks commented 8 years ago

The Windows, Android and OS X packages are in fact signed. The Linux ones are not currently, but probably will be in the very near future.

The MD5 hashes you are referring to are just checksums to ensure the file you are downloading is the one you mean to. Even with MD5, creating a collision file would still take an enormous amount of computing effort.