Please include sha256 checksums in announcements ------------------------------------------------ Key: JBIDE-24642 URL: https://issues.jboss.org/browse/JBIDE-24642 Project: Tools (JBoss Tools) Issue Type: Feature Request Components: build Reporter: Jesper Skov Fix For: LATER I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries. Or even better, verify a signature. Today, when I want to use a JBossTools release, I would download http://download.jboss.org/jbosstools/static/oxygen/development/updates/co... And my only opportunity to verify the file is by downloading the sha256 file that lies next to it: http://download.jboss.org/jbosstools/static/oxygen/development/updates/co... If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it. So the current checksum can really only be used to verify the integrity of the downloaded file. Not that its contents is untampered. If the jar-files in the archive were signed, it would be less of an issue... Signed artifacts would be best. But would probably take some effort to put in place. A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.