Website Download - Please show checksums

[JavaScriptDude]

Can you please add SHA1 and/or MD5 checksum for the binary downloads to your website? At present, there is no way to safely check besides sandboxing the installer.

[JavaScriptDude]

Could you also please add clear version information to the msi file name, the service registration and the installer registration info. All this will help users.

To go a bit further for this, It may be a good idea to post a change log to github with the file name (including version), and the checksum of the msi installer. This will further enhance users ability to verify that the msi downloaded is valid.

[ra-at-diladele-com]

Yes will try to push it into the task line. In the mean time - if MSI downloaded is incorrect then the signature shall fail? We sign MSI with our code certificate. If MSI is not signed it is not recommended to run it in the first place.

[JavaScriptDude]

Good point about the code signing. It definitely makes me feel better about the security.

I'm not sure but there may still be some abilities that a new MSI could be generated and signed to replace the original either through a MITM attack or by having the source file changed on a hacked site. Its definitely an edge case but more checks would not hurt would greatly increase the comfort level of the extra paranoid like myself.

I recall at a big corporation seeing someone accidentally downloading a rogue ssh client for windows and putting it onto a DMZ jump box. That epic fail has made me extra wary of verifying downloads ever since. Ironically, I had installed the correct ssh client on the same jump box several months prior but the user just did not check and assumed it was not installed yet.

[ra-at-diladele-com]

Trust me - getting a code signing certificate is very complex. I would not worry about hackers in this case – the rougue ssh client was not signed properly most probably. From: JavaScriptDude <[email protected]> Sent: Wednesday, 27 March 2019 19:39 To: diladele/squid-windows <[email protected]> Cc: Rafael Akchurin <[email protected]>; Assign <[email protected]> Subject: Re: [diladele/squid-windows] Website Download - Please show checksums (#82) Good point about the code signing. It definitely makes me feel better about the security. I'm not sure but there may still be some abilities that a new MSI could be generated and re-signed to replace the original either through a MITM attack or by having the source file changed on a hacked site. Its definitely an edge case but more checks would not hurt would greatly increase the comfort level of the extra paranoid like myself. I recall at a big corporation seeing someone accidentally downloading a rogue ssh client for windows and putting it onto a DMZ jump box. That epic fail has made me extra wary of verifying downloads ever since. Ironically, I had installed the correct ssh client on the same jump box several months prior but the user just did not check and assumed it was not installed yet. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub<#82 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACbT1nArjVE4Pidv99O3qh5qg-4sCeTxks5va7rNgaJpZM4aXJez>.