sly-net
commented
3 months ago So, if an attacker performs successfully a man-in-the-middle attack to let the client believe he is github.com, in order to provide an infected v2ray zip archive to the client, the digest will not save the client (unless the attacker is stupid enough to forget to change the digest in addition to changing the zip file).
Well, that's simple: the digest should be provided locally instead of being fetched remotely... The digest ensures we got the expected file from the server. It's not a way to control the transport integrity (TCP/TLS does this).
closes #62