5:49 p.m.
[
https://issues.jboss.org/browse/JBIDE-24642?page=com.atlassian.jira.plugi...
]
Nick Boldt edited comment on JBIDE-24642 at 7/24/17 6:48 PM:
-------------------------------------------------------------
I've added SHA256 sums to the staging and release announcement emails. It'll look
like this:
{code:title=jbosstools staging}
SHA256 sums:
* a347815948e751defc8bb7c84958f5441a49e92735d8fee74cf0cc33c3f2bb67
jbosstools-4.5.0.AM2-updatesite-core.zip
* 5004c6b1fd7750e9c6060021ad2e9eef15907dea47583fe5f43b45c06e43fea4
jbosstools-4.5.0.AM2-src.zip
* 2ef6932514bd5a1501f43106acc609297e79074e54791e86e5ad9fae708bbda3
jbosstools-4.5.0.AM2-browsersim-standalone.zip
{code}
{code:title=jbosstools milestone release}
SHA256 sums:
* b4e847b00b1ce983276c499aee7d20eac3ab9cbb13446df6849150ca5ef6578e
jbosstools-4.4.4.Final-updatesite-core.zip
* 8822443d7529d574f4281f53b8a02f3e812fc870955936737640b747b6fc00d6
jbosstools-4.4.4.Final-src.zip
* 7df22ec7dd71fbd0beb9dbecec8b6a98fbacad9010d5cf4cc240945983c44e67
jbosstools-4.4.4.Final-browsersim-standalone.zip
{code}
{code:title=devstudio staging}
SHA256 sums:
* 41efa15eb4648d9f721d93b48dd0a8400436e3b8606f373b5753ecba804f5046
devstudio-11.0.0.AM2-v20170713-2124-B489-installer-standalone.jar
* 5fad8919640d8f6bf1a0efe767d7d65df637e57428a43cf68fbf7b8c419ec690
devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-core.zip
* a8ad843e1084eb9192540fbffceef818ff65a122187dead2f2959f2171bad1ff
devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-central.zip
* 857f93175bc31734fdc1240dfeedce4e65d10a517505f59227350eefe102836f
rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.x86_64.rpm
* 30aef9d3d01794b06dcc44d560efcd5da352b9821a9cae2a3100f79f451fda1d
rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.src.rpm{code}
{code:title=devstudio milestone release}
SHA256 sums:
* 812c135ce00b570e7240e1d4fbc0b4e2a51928e97589ae9cf7aa08b0156ef6b4
devstudio-10.4.0.GA-v20170511-1748-B62-installer-standalone.jar
* 67e5b7310ddf05eaa641d22d1026462d561a8af051e8b185c8d709f81473217f
devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-core.zip
* 78a5e0ed4573601cc916019e1acf9ede688a0593da05f2156900529365f2bde8
devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-central.zip
* 734c5b2be60adbfefe809ec61698dcc243ce8ae3f39d108b399fd50db810d766
rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.x86_64.rpm
* 2ba7a9f8c49f527bcf4961b7ea0d7fd0511d494710f2e0e785a7a8ec7f73501b
rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.src.rpm{code}
Commits:
https://github.com/jbdevstudio/jbdevstudio-ci/commit/41678aaaef5a5cc66f91...
https://github.com/jbdevstudio/jbdevstudio-ci/commit/52f4cce750b96b6fc29f...
was (Author: nickboldt):
I've added SHA256 sums to the staging and release emails. It'll look like this:
{code:title=jbosstools staging}
SHA256 sums:
* a347815948e751defc8bb7c84958f5441a49e92735d8fee74cf0cc33c3f2bb67
jbosstools-4.5.0.AM2-updatesite-core.zip
* 5004c6b1fd7750e9c6060021ad2e9eef15907dea47583fe5f43b45c06e43fea4
jbosstools-4.5.0.AM2-src.zip
* 2ef6932514bd5a1501f43106acc609297e79074e54791e86e5ad9fae708bbda3
jbosstools-4.5.0.AM2-browsersim-standalone.zip
{code}
{code:title=jbosstools milestone release}
SHA256 sums:
* b4e847b00b1ce983276c499aee7d20eac3ab9cbb13446df6849150ca5ef6578e
jbosstools-4.4.4.Final-updatesite-core.zip
* 8822443d7529d574f4281f53b8a02f3e812fc870955936737640b747b6fc00d6
jbosstools-4.4.4.Final-src.zip
* 7df22ec7dd71fbd0beb9dbecec8b6a98fbacad9010d5cf4cc240945983c44e67
jbosstools-4.4.4.Final-browsersim-standalone.zip
{code}
{code:title=devstudio staging}
SHA256 sums:
* 41efa15eb4648d9f721d93b48dd0a8400436e3b8606f373b5753ecba804f5046
devstudio-11.0.0.AM2-v20170713-2124-B489-installer-standalone.jar
* 5fad8919640d8f6bf1a0efe767d7d65df637e57428a43cf68fbf7b8c419ec690
devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-core.zip
* a8ad843e1084eb9192540fbffceef818ff65a122187dead2f2959f2171bad1ff
devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-central.zip
* 857f93175bc31734fdc1240dfeedce4e65d10a517505f59227350eefe102836f
rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.x86_64.rpm
* 30aef9d3d01794b06dcc44d560efcd5da352b9821a9cae2a3100f79f451fda1d
rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.src.rpm{code}
{code:title=devstudio milestone release}
SHA256 sums:
* 812c135ce00b570e7240e1d4fbc0b4e2a51928e97589ae9cf7aa08b0156ef6b4
devstudio-10.4.0.GA-v20170511-1748-B62-installer-standalone.jar
* 67e5b7310ddf05eaa641d22d1026462d561a8af051e8b185c8d709f81473217f
devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-core.zip
* 78a5e0ed4573601cc916019e1acf9ede688a0593da05f2156900529365f2bde8
devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-central.zip
* 734c5b2be60adbfefe809ec61698dcc243ce8ae3f39d108b399fd50db810d766
rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.x86_64.rpm
* 2ba7a9f8c49f527bcf4961b7ea0d7fd0511d494710f2e0e785a7a8ec7f73501b
rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.src.rpm{code}
Commits:
https://github.com/jbdevstudio/jbdevstudio-ci/commit/41678aaaef5a5cc66f91...
https://github.com/jbdevstudio/jbdevstudio-ci/commit/52f4cce750b96b6fc29f...
Please include sha256 checksums in announcements
------------------------------------------------
Key: JBIDE-24642
URL: https://issues.jboss.org/browse/JBIDE-24642
Project: Tools (JBoss Tools)
Issue Type: Feature Request
Components: build, website
Reporter: Jesper Skov
Assignee: Nick Boldt
Fix For: LATER
I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and
eclipse-related binaries.
Or even better, verify a signature.
Today, when I want to use a JBossTools release, I would download
http://download.jboss.org/jbosstools/static/oxygen/development/updates/co...
And my only opportunity to verify the file is by downloading the sha256 file that lies
next to it:
http://download.jboss.org/jbosstools/static/oxygen/development/updates/co...
If a hacker manages to replace the updatesite archive with compromised files, I assume
they will have the brains to also update the checksum file next to it.
So the current checksum can really only be used to verify the integrity of the downloaded
file.
Not that its contents is untampered.
If the jar-files in the archive were signed, it would be less of an issue...
Signed artifacts would be best. But would probably take some effort to put in place.
A simpler remedy would be to include the checksums in the announcement. This would give
an additional factor of security for those who care about that.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
3176
days inactive
3176
days old
jbosstools-issues@lists.jboss.org
0 comments
1 participants
participants (1)
-
Nick Boldt (JIRA)