Dear zenju,
Would you please cryptographically sign the download files (binaries and sources), for example with a PGP key, and provide the signature in an additional download file suffixed by any of these usual suffixes: asc, gpg, pgp, sig and sign?
For example:
https://freefilesync.org/download/FreeFileSync_11.23_Source.zip → https://freefilesync.org/download/FreeFileSync_11.23_Source.zip.asc
If not, maybe you could provide the checksums?
Thanks
Sign your releases
- Posts: 44
- Joined: 14 Aug 2022
- Posts: 1038
- Joined: 8 May 2006
+1could provide the checksums?
Though I'd think that to be problematic for the Donation versions (as they would be unique to a user).
(The .exe's (on Windows) are signed (for as far as that goes).)
-
- Site Admin
- Posts: 7211
- Joined: 9 Dec 2007
The FreeFileSync binaries are already signed on all platforms (Windows, Linux, macOS). The signature is checked at runtime. So if FreeFileSync starts you can be sure that the signature is valid. Otherwise you'd see an error message.
This only leaves the question: Can you trust the signature to really be authentic?
For Windows/macOS this is solved by code signing and the trust chains that transitively rely on root certificates of the OS.
And for Linux?
The binaries are signed by having the OpenSSL SHA256 digest appended to the file (the last 256 bytes). The corresponding public key is this:
This only leaves the question: Can you trust the signature to really be authentic?
For Windows/macOS this is solved by code signing and the trust chains that transitively rely on root certificates of the OS.
And for Linux?
The binaries are signed by having the OpenSSL SHA256 digest appended to the file (the last 256 bytes). The corresponding public key is this:
-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA1Oq/zre0HLevxfYLzoUj
mS1qL1Qemc6HoIqP9JmyGdk5uaiFtSSKOaWhFCVnzwiYe+BA4YXL1NIGI8mxMEek
V+HksO2rbOiAlvV35tPwWwgLNTMfE0QLnzGILS0T0yHM1My60r9Ca89CvprYdrAy
QWpV8ao1xV4OuWveAD8xxxtZlGtmOPREeWaH6UCgnoX6SJPXK/0uv0t2o+d9V/mC
xnr5XxLU8mrw4RiDn2SQoSEDzopXtO79SUo/PYxZvRewHEIT940JLMud1fkDMZ29
bkhkFrYNW1wAwZKBc5L1oeiuF8T/d9b5vIKiaZNlFTQTQ8pEMMdnR4+tze5SbqZz
0wIBEQ==
-----END PUBLIC KEY-----
- Posts: 44
- Joined: 14 Aug 2022
I was mainly interested in source file being signed actually.
-
- Posts: 18
- Joined: 13 Mar 2021
+1
It would be nice to have the source signed.
It would be nice to have the source signed.
- Posts: 4
- Joined: 30 Aug 2024
+1 for signed sources.
Additionally, I'd advocate for FFS' website to present checksums, e. g. SHA-256 or SHA-512 for each of their downloadable files.
In my view, this'd simplify the process of quickly verifying downloads for less experienced users - e. g. per browser add-on - without having to rely on the assumption, that a downloaded executable, verifying itself at startup, hasn't been tampered with.
With lawful interception, involving redirected connections, it may be possible to exchange and transmit maliciously altered binaries and archives to users (pre-compiled from the available sources), which only pretend to do integrity self-checking at startup.
When using SHA checksums, directly integrated into the website, an MiM attacker would've to mimic the whole website's environment, to also transmit fraudulent checksums to their targets, which should make the whole process of compromization a lot harder.
Additionally, I'd advocate for FFS' website to present checksums, e. g. SHA-256 or SHA-512 for each of their downloadable files.
In my view, this'd simplify the process of quickly verifying downloads for less experienced users - e. g. per browser add-on - without having to rely on the assumption, that a downloaded executable, verifying itself at startup, hasn't been tampered with.
With lawful interception, involving redirected connections, it may be possible to exchange and transmit maliciously altered binaries and archives to users (pre-compiled from the available sources), which only pretend to do integrity self-checking at startup.
When using SHA checksums, directly integrated into the website, an MiM attacker would've to mimic the whole website's environment, to also transmit fraudulent checksums to their targets, which should make the whole process of compromization a lot harder.
