checksum for the binary release

mintty / wsltty

Mintty as a terminal for Bash on Ubuntu on Windows / WSL

Other

3.12k stars 104 forks source link

checksum for the binary release #189

Closed luyoutao closed 5 years ago

luyoutao commented 5 years ago

Just to ensure the file integrity--can you please provide checksum for your binary release? Thanks.

mintty commented 5 years ago

I may be ignorant, but what's the purpose of a checksum for a github download? Do you think you could be spoofed about github.com? Also, how would a typical checksum be generated? (Cygwin tool and parameters please.)

Biswa96 commented 5 years ago

In cygwin, we have shasum, sha224sum, sha256sum, sha384sum, sha512sum.
In powershell, Get-FileHash.

mintty commented 5 years ago

Checksum for the current release, if that's what you're up to:

shasum -b wsltty-3.0.2.3-install.exe

07e1f0c04589967b013d977f5a36ae8a48a0cc85 *wsltty-3.0.2.3-install.exe

Biswa96 commented 5 years ago

I think OP wants to provide SHA256 (or higher) in release page.

mintty commented 5 years ago

I see no point in that. What's the value? If someone really spoofs a github page in order to spread a maliciously manipulated download, they can as well publish a modified checksum. Placing a checksum aside only gives a false impression of security which is not given. A checksum may be used in mailing list announcements but it's even counter-productive to publish a checksum along with the download.

luyoutao commented 5 years ago

@mintty What you said makes sense. But in general, how to prevent a binary release from being tampered?

mintty commented 5 years ago

Closing as general security questions cannot be answered here. Thanks for raising the issue.