[jbosstools-issues] [JBoss JIRA] (JBIDE-24642) Please include sha256 checksums in announcements

Nick Boldt (JIRA) issues at jboss.org
Tue Jul 4 10:01:00 EDT 2017 

    [ https://issues.jboss.org/browse/JBIDE-24642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13430893#comment-13430893 ] 

Nick Boldt commented on JBIDE-24642:
------------------------------------

Do you mean the announcements like this one should list the SHAs?

http://lists.jboss.org/pipermail/jbosstools-dev/2017-June/011998.html

Or are you talking about adding SHAs to the blog posts such as this?

http://tools.jboss.org/blog/4.5.0.am1-for-oxygen.0.html

We could also hard-code the SHA values into the download page, rather than linking to them:

http://tools.jboss.org/downloads/jbosstools/oxygen/4.5.0.AM1.html#zips

[~jeffmaury] WDYT?

> Please include sha256 checksums in announcements
> ------------------------------------------------
>
>                 Key: JBIDE-24642
>                 URL: https://issues.jboss.org/browse/JBIDE-24642
>             Project: Tools (JBoss Tools)
>          Issue Type: Feature Request
>          Components: build
>            Reporter: Jesper Skov
>            Assignee: Nick Boldt
>             Fix For: LATER
>
>
> I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries.
> Or even better, verify a signature.
> Today, when I want to use a JBossTools release, I would download
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip
> And my only opportunity to verify the file is by downloading the sha256 file that lies next to it:
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip.sha256
> If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it.
> So the current checksum can really only be used to verify the integrity of the downloaded file.
> Not that its contents is untampered.
> If the jar-files in the archive were signed, it would be less of an issue...
> Signed artifacts would be best. But would probably take some effort to put in place.
> A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jbosstools-issues mailing list