[jbosstools-issues] [JBoss JIRA] (JBIDE-24642) Please include sha256 checksums in announcements

Nick Boldt (JIRA) issues at jboss.org
Mon Jul 24 18:49:00 EDT 2017 

    [ https://issues.jboss.org/browse/JBIDE-24642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13439537#comment-13439537 ] 

Nick Boldt edited comment on JBIDE-24642 at 7/24/17 6:48 PM:
-------------------------------------------------------------

I've added SHA256 sums to the staging and release announcement emails. It'll look like this:

{code:title=jbosstools staging}
SHA256 sums:

* a347815948e751defc8bb7c84958f5441a49e92735d8fee74cf0cc33c3f2bb67 jbosstools-4.5.0.AM2-updatesite-core.zip
* 5004c6b1fd7750e9c6060021ad2e9eef15907dea47583fe5f43b45c06e43fea4 jbosstools-4.5.0.AM2-src.zip
* 2ef6932514bd5a1501f43106acc609297e79074e54791e86e5ad9fae708bbda3 jbosstools-4.5.0.AM2-browsersim-standalone.zip
{code}

{code:title=jbosstools milestone release}
SHA256 sums:

* b4e847b00b1ce983276c499aee7d20eac3ab9cbb13446df6849150ca5ef6578e jbosstools-4.4.4.Final-updatesite-core.zip
* 8822443d7529d574f4281f53b8a02f3e812fc870955936737640b747b6fc00d6 jbosstools-4.4.4.Final-src.zip
* 7df22ec7dd71fbd0beb9dbecec8b6a98fbacad9010d5cf4cc240945983c44e67 jbosstools-4.4.4.Final-browsersim-standalone.zip
{code}

{code:title=devstudio staging}
SHA256 sums:

* 41efa15eb4648d9f721d93b48dd0a8400436e3b8606f373b5753ecba804f5046 devstudio-11.0.0.AM2-v20170713-2124-B489-installer-standalone.jar
* 5fad8919640d8f6bf1a0efe767d7d65df637e57428a43cf68fbf7b8c419ec690 devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-core.zip
* a8ad843e1084eb9192540fbffceef818ff65a122187dead2f2959f2171bad1ff devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-central.zip
* 857f93175bc31734fdc1240dfeedce4e65d10a517505f59227350eefe102836f rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.x86_64.rpm
* 30aef9d3d01794b06dcc44d560efcd5da352b9821a9cae2a3100f79f451fda1d rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.src.rpm{code}

{code:title=devstudio milestone release}
SHA256 sums:

* 812c135ce00b570e7240e1d4fbc0b4e2a51928e97589ae9cf7aa08b0156ef6b4 devstudio-10.4.0.GA-v20170511-1748-B62-installer-standalone.jar
* 67e5b7310ddf05eaa641d22d1026462d561a8af051e8b185c8d709f81473217f devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-core.zip
* 78a5e0ed4573601cc916019e1acf9ede688a0593da05f2156900529365f2bde8 devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-central.zip
* 734c5b2be60adbfefe809ec61698dcc243ce8ae3f39d108b399fd50db810d766 rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.x86_64.rpm
* 2ba7a9f8c49f527bcf4961b7ea0d7fd0511d494710f2e0e785a7a8ec7f73501b rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.src.rpm{code}

Commits:

https://github.com/jbdevstudio/jbdevstudio-ci/commit/41678aaaef5a5cc66f913526e0eef823cf0fc851
https://github.com/jbdevstudio/jbdevstudio-ci/commit/52f4cce750b96b6fc29fbd06addb5bb5453eb86c



was (Author: nickboldt):
I've added SHA256 sums to the staging and release emails. It'll look like this:

{code:title=jbosstools staging}
SHA256 sums:

* a347815948e751defc8bb7c84958f5441a49e92735d8fee74cf0cc33c3f2bb67 jbosstools-4.5.0.AM2-updatesite-core.zip
* 5004c6b1fd7750e9c6060021ad2e9eef15907dea47583fe5f43b45c06e43fea4 jbosstools-4.5.0.AM2-src.zip
* 2ef6932514bd5a1501f43106acc609297e79074e54791e86e5ad9fae708bbda3 jbosstools-4.5.0.AM2-browsersim-standalone.zip
{code}

{code:title=jbosstools milestone release}
SHA256 sums:

* b4e847b00b1ce983276c499aee7d20eac3ab9cbb13446df6849150ca5ef6578e jbosstools-4.4.4.Final-updatesite-core.zip
* 8822443d7529d574f4281f53b8a02f3e812fc870955936737640b747b6fc00d6 jbosstools-4.4.4.Final-src.zip
* 7df22ec7dd71fbd0beb9dbecec8b6a98fbacad9010d5cf4cc240945983c44e67 jbosstools-4.4.4.Final-browsersim-standalone.zip
{code}

{code:title=devstudio staging}
SHA256 sums:

* 41efa15eb4648d9f721d93b48dd0a8400436e3b8606f373b5753ecba804f5046 devstudio-11.0.0.AM2-v20170713-2124-B489-installer-standalone.jar
* 5fad8919640d8f6bf1a0efe767d7d65df637e57428a43cf68fbf7b8c419ec690 devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-core.zip
* a8ad843e1084eb9192540fbffceef818ff65a122187dead2f2959f2171bad1ff devstudio-11.0.0.AM2-v20170713-2124-B489-updatesite-central.zip
* 857f93175bc31734fdc1240dfeedce4e65d10a517505f59227350eefe102836f rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.x86_64.rpm
* 30aef9d3d01794b06dcc44d560efcd5da352b9821a9cae2a3100f79f451fda1d rh-eclipse47-devstudio-11.0-0.20170713.2235.el7.src.rpm{code}

{code:title=devstudio milestone release}
SHA256 sums:

* 812c135ce00b570e7240e1d4fbc0b4e2a51928e97589ae9cf7aa08b0156ef6b4 devstudio-10.4.0.GA-v20170511-1748-B62-installer-standalone.jar
* 67e5b7310ddf05eaa641d22d1026462d561a8af051e8b185c8d709f81473217f devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-core.zip
* 78a5e0ed4573601cc916019e1acf9ede688a0593da05f2156900529365f2bde8 devstudio-10.4.0.GA-v20170511-1748-B62-updatesite-central.zip
* 734c5b2be60adbfefe809ec61698dcc243ce8ae3f39d108b399fd50db810d766 rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.x86_64.rpm
* 2ba7a9f8c49f527bcf4961b7ea0d7fd0511d494710f2e0e785a7a8ec7f73501b rh-eclipse46-devstudio-10.4-0.20170511.1856.el7.src.rpm{code}

Commits:

https://github.com/jbdevstudio/jbdevstudio-ci/commit/41678aaaef5a5cc66f913526e0eef823cf0fc851
https://github.com/jbdevstudio/jbdevstudio-ci/commit/52f4cce750b96b6fc29fbd06addb5bb5453eb86c


> Please include sha256 checksums in announcements
> ------------------------------------------------
>
>                 Key: JBIDE-24642
>                 URL: https://issues.jboss.org/browse/JBIDE-24642
>             Project: Tools (JBoss Tools)
>          Issue Type: Feature Request
>          Components: build, website
>            Reporter: Jesper Skov
>            Assignee: Nick Boldt
>             Fix For: LATER
>
>
> I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries.
> Or even better, verify a signature.
> Today, when I want to use a JBossTools release, I would download
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip
> And my only opportunity to verify the file is by downloading the sha256 file that lies next to it:
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip.sha256
> If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it.
> So the current checksum can really only be used to verify the integrity of the downloaded file.
> Not that its contents is untampered.
> If the jar-files in the archive were signed, it would be less of an issue...
> Signed artifacts would be best. But would probably take some effort to put in place.
> A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jbosstools-issues mailing list