How to verify packages?

Metreon Cascade

New Member
How are Eraser downloads' integrity verified?

I've noticed references to MD5 hashes in other posts, I but can't find where the hashes themselves are posted. Why is it so hard for security software developers to take even the first step in verifying package integrity? It's like some global practical joke.

There are two methods that can be used. I recommend both, but the first is essential.

Sign every package. To do this, use a key which is signed by several known security software developers (putting the key in the 'web of trust'), or at least signed by all of the developers (whose keys should be posted/linked on eraser.heidi.ie's front page AND the developers' websites). Post links to the signatures right next to every single download link, or (better) include them in the packages. Post the key conspicuously on the front page of your Sourceforge page and on the front page of eraser.heidi.ie where it cannot be missed.

That is THE correct method (as in, not doing it is incorrect the way '2+2=5' is incorrect). Posting the hashes (next to every download link!) is okay, except that if the site is hacked then bad hashes can be posted along with the bad downloads (unlikely, of course).
 
Metreon Cascade said:
How are Eraser downloads' integrity verified?

I've noticed references to MD5 hashes in other posts, I but can't find where the hashes themselves are posted. Why is it so hard for security software developers to take even the first step in verifying package integrity? It's like some global practical joke.
http://eraser.heidi.ie/announcements/20090706.html.

Metreon Cascade said:
Sign every package. To do this, use a key which is signed by several known security software developers (putting the key in the 'web of trust'), or at least signed by all of the developers (whose keys should be posted/linked on eraser.heidi.ie's front page AND the developers' websites). Post links to the signatures right next to every single download link, or (better) include them in the packages. Post the key conspicuously on the front page of your Sourceforge page and on the front page of eraser.heidi.ie where it cannot be missed.
The binaries I post are signed with an Authenticode signature.
 
It's proprietary -- sure -- but that means that the binaries are checked automatically and prevents user failure. A definite simplification, in my opinion.

Joel
 
Back
Top