Where are the checksums for the files on the download page?

[rwill]

I think the title says it all - downloaded FreeFileSync_8.8_Windows_Setup.exe and would like to verify the integrity. Is there a sha256 hash somewhere on this site? I've looked around, and can't find any checksums.

[Zenju]

The installer is digitally signed, so it includes a hash. This one is checked automatically during installation.

[0146754]

The installer is digitally signed, so it includes a hash. This one is checked automatically during installation.

This doesn't prevent a MITM where the attacker serves a compromised version of the software which can be installable as a first installation in Windows, and especially on Linux where the update process consists in overwriting the old folder with the newly downloaded one. Adding checksums for download verification costs nothing and it's very beneficial, there is no reason in the world why they should not be provided. Please, put them in the download page underneath the download links.

[Zenju]

The installer is digitally signed, so it includes a hash. This one is checked automatically during installation.

This doesn't prevent a MITM where the attacker serves a compromised version of the software which can be installable as a first installation in Windows, and especially on Linux where the update process consists in overwriting the old folder with the newly downloaded one. Adding checksums for download verification costs nothing and it's very beneficial, there is no reason in the world why they should not be provided. Please, put them in the download page underneath the download links.

This compromised version doesn't have a valid signature then, which will be obvious when trying to install. And there is still a "cost" to showing a bunch of checksums: It adds distracting information that 99.9% of users won't need.

[0146754]

This compromised version doesn't have a valid signature then, which will be obvious when trying to install. And there is still a "cost" to showing a bunch of checksums: It adds distracting information that 99.9% of users won't need.

I understand the signature part, if the program is already installed the OS will warn it has a different signature and refuse to install it. This is the case with Windows and MacOS and on subsequent installations after the first one, which if done with a compromised installer would then create a situation where a genuine installer would fail in the future because of a different signature, all the other OS do not install anything, they just run the unpacked executable file. What seems unreasonable to me is to not provide checksums, why not put them in a text file or another page in another section of the website? So who wants them can find them and nobody is "distracted" by them being in the download page (whatever that means, I would be wary to call a security feature distracting and I never saw anyone complaining about the checksums anywhere, can you point me to a case where this happened?)

[vjayer]

Hello, I came to this post looking for exactly the same thing. I really like FFS but I too think the lack of checksums is a security hazard, especially for Linux binaries. The other OS's have signed installers that provide some mitigation, and even more so from virus scanning that is automatically done for downloads on Windows, but if the Linux binaries here were compromised, users would not be aware of it.

An increasing danger is crypto related malware, maybe more so on Linux. Some examples include things that were distributed on github and not to long ago, even the official Monero linux binary distributed on their servers was hacked. People found out and were able to prevent the hijacking of funds by checking the checksum

[Zenju]

the lack of checksums is a security hazard, especially for Linux binaries. The other OS's have signed installers that provide some mitigation

The Linux binaries are also (self-)signed, which FFS will check during start up.

[vjayer]

Thanks for the quick reply. I feel reassured from knowing that at least