[Mono-list] Not able to verify integrity of download

[Edward Ned Harvey (mono)]

> From: Ian Norton [mailto:inorton at gmail.com]
> Sent: Tuesday, March 11, 2014 2:29 AM
> 
> I think our friend is wondering if our stable archive is trusted. if someone
> hasn't snuck in and inserted some nasty in the released tarball.
> I for one think that xamarin really really need to sha2 and sign the released
> stable sources!

So - How does that work?  The two things I usually see are either:
On the website, they give you a download link for a file, and they also tell you the MD5 and SHA1 sums of the file...
or
You download something like a .msi or .exe, and your browser does a security scan, and upon launch, it does another security scan, and verifies all the codesigning signatures...

So my question for you guys is, what do you want to see?  The way I see it, posting the MD5 or SHA1 on the website does not help protect you against malicious person hacking up the website.  Because they'll just update the sums to match their infected tarball.

Code signing is very nice, because the software publisher must jump through trusted root CA verification, proof of control of the organization, etc, and the publisher has a private key, so even if somebody hacks up the website, they still cannot fake a valid signed file.  So the recipient will be able to detect the malicious behavior.  (Invalid code signing cert, or not signed at all.)

But I'm not aware of any way to do code signing on the source tarball, etc.