[jbosstools-issues] [JBoss JIRA] (JBIDE-24642) Please include sha256 checksums in announcements
Jesper Skov (JIRA)
issues at jboss.org
Mon Jul 3 02:41:00 EDT 2017
Jesper Skov created JBIDE-24642:
-----------------------------------
Summary: Please include sha256 checksums in announcements
Key: JBIDE-24642
URL: https://issues.jboss.org/browse/JBIDE-24642
Project: Tools (JBoss Tools)
Issue Type: Feature Request
Reporter: Jesper Skov
I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries.
Or even better, verify a signature.
Today, when I want to use a JBossTools release, I would download
http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip
And my only opportunity to verify the file is by downloading the sha256 file that lies next to it:
http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip.sha256
If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it.
So the current checksum can really only be used to verify the integrity of the downloaded file.
Not that its contents is untampered.
If the jar-files in the archive were signed, it would be less of an issue...
Signed artifacts would be best. But would probably take some effort to put in place.
A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jbosstools-issues
mailing list