Downloaded files not verified?

[Vyryn]

I may be misreading the code, but it doesn't seem like the file contents downloaded from mirrors in lib/services/download_file.dart are verified with the annas-archive md5 hash anywhere. Since third party mirrors can host whatever they like, this is an important step to avoid handing users potential malware. Is it maybe done somewhere I'm not seeing?

[dstark5]

I may be misreading the code, but it doesn't seem like the file contents downloaded from mirrors in lib/services/download_file.dart are verified with the annas-archive md5 hash anywhere. Since third party mirrors can host whatever they like, this is an important step to avoid handing users potential malware. Is it maybe done somewhere I'm not seeing?

I'm sorry I haven't implemented that check ,But will sure implement the md5 hash check ASAP. Thank you for mentioning this bro

[inson1]

I think maybe it would be good to also show it in the ui?

[dstark5]

Sure, gonna add the md5 verified tick after file download on the pop up

[inson1]

it looks like its done in latest release

[inson1]

btw if the checksum is wrong, the file is deleted?

[dstark5]

If the checksum doesn't match a pop immediately shows with a warning

"The downloaded book may be malicious. Delete it and get the same book from another source, or use the book at your own risk."

[inson1]

@dstark5 Shouldnt there be also option to delete the file from the dialog? so its easy to manage it?

[dstark5]

Yes there should be but I haven't added the delete button on the alert pop up will sure add it in next update

[inson1]

great work