[Mono-list] Not able to verify integrity of download

Matt Clay Matt.Clay at earthclassmail.com
Wed Mar 12 17:25:33 UTC 2014

Perhaps you could use GnuPG to sign releases like is done for the Linux kernel sources?


 - Matt

-----Original Message-----
From: mono-list-bounces at lists.ximian.com [mailto:mono-list-bounces at lists.ximian.com] On Behalf Of Edward Ned Harvey (mono)
Sent: Wednesday, March 12, 2014 4:00 AM
To: Ian Norton
Cc: mono-list at lists.ximian.com; monolithic1
Subject: Re: [Mono-list] Not able to verify integrity of download

> From: Ian Norton [mailto:inorton at gmail.com]
> Sent: Tuesday, March 11, 2014 2:29 AM
> I think our friend is wondering if our stable archive is trusted. if 
> someone hasn't snuck in and inserted some nasty in the released tarball.
> I for one think that xamarin really really need to sha2 and sign the 
> released stable sources!

So - How does that work?  The two things I usually see are either:
On the website, they give you a download link for a file, and they also tell you the MD5 and SHA1 sums of the file...
You download something like a .msi or .exe, and your browser does a security scan, and upon launch, it does another security scan, and verifies all the codesigning signatures...

So my question for you guys is, what do you want to see?  The way I see it, posting the MD5 or SHA1 on the website does not help protect you against malicious person hacking up the website.  Because they'll just update the sums to match their infected tarball.

Code signing is very nice, because the software publisher must jump through trusted root CA verification, proof of control of the organization, etc, and the publisher has a private key, so even if somebody hacks up the website, they still cannot fake a valid signed file.  So the recipient will be able to detect the malicious behavior.  (Invalid code signing cert, or not signed at all.)

But I'm not aware of any way to do code signing on the source tarball, etc.
Mono-list maillist  -  Mono-list at lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-list

More information about the Mono-list mailing list