search

haskell / haskell-platform

Distribution of Haskell with batteries included
http://www.haskell.org/platform/
Other
381 stars 91 forks source link

Security issue in installing Haskell platform in MS Windows - Installer not digitally signed #44

Open r0ml opened 10 years ago

r0ml commented 10 years ago

The Haskell platform installer for Microsoft Windows should be digitally signed using a certificate from a reputed certificate organization (Verisign, entrust etc.) The mozilla firefox is signed this way. Any software distributed through internet is signed this way to avoid modification by replacement by an intermediary.

If it is not possible to sign the platform installer then publish the md5 checksum along with the link to download platform installer. (However, windows users are slightly less used to this approach.)

r0ml commented 10 years ago

Note to self: provide an MD5 sig when releasing an installer.

r0ml commented 10 years ago

This is relevant:

http://stackoverflow.com/questions/10581570/setting-the-uac-publisher-field-for-a-nsis-installer/10587106#10587106

gbaz commented 8 years ago

We're already doing the checksum now afaik. @randen do you have thoughts on if signing is important or knowledge on if we've addressed this already?