search

rainmeter / rainmeter-www

Rainmeter website
https://www.rainmeter.net
14 stars 6 forks source link

Provide SHA512 and SHA256 checksums #6

Closed einsteinsfool closed 6 years ago

einsteinsfool commented 6 years ago

Description

Provide SHA512 and SHA256 checksums for all files on the official page, GitHub in the releases section and ideally on the file server. All in plaintext so users don't need to download the checksum which would defeat the whole purpose of them.

PS Both MD5 and SHA1 are breaked and shouldn't be provided because they give a false sense of security.

Expected Behavior

After downloading the file I should be able to verify if the file I have is the same as the one uploaded by the maintainers.

Current Behavior

Users can't verify the downloaded files.

Steps to Reproduce

  1. Download an installer.
  2. An attacker intercepts the file and swaps it with a modified malicious one.
  3. Don't verify the file because there are no checksums.
  4. Get f... hacked. (couldn't resist)
tjhrulz commented 6 years ago

To be fair all our distributables are signed, if you get an unsigned installer, or an untrusted installer, then you have a bad executable.

We also use SHA256 for that right now.

jsmorley commented 6 years ago

The digital certificate that is on all our executable files uses a sha256 hash. That is really enough in my opinion. Digital Signatures is the 21st Century way of doing file level security.