Please provide checksum in order to validate downloads from the website #6299
Comments
|
We currently just offer https://releases.libreelec.tv/LibreELEC-RPi4.arm-10.0.2.img.gz?mirrorlist (https://....?mirrorlist) to view the sha256. Ofc this is not safe against compromising attacks, same goes to github and the website. ideas welcome :) |
|
I suggest looking through some of the other open source projects to see how they do it, and then find one of the models that best suit your project. It's a must have. |
|
@CvH we already generate sha256 of the image. We can just copy them over to the mirrors when copying the image? |
|
@lrusak Hashes on the same server as the images are not trusted as an attacker who compromises the server can post a bad image and matching hashes. So we need to publish them from a different location, i.e. include them in the website blog post. I think we just need to update the JSON update script so they also generate the content needed for the blog post. |
As the title says. It's impossible to validate a download. You need to provide at least sha1 checksums and some proper way of validation. These checksums cannot reside on the website because if the website gets compromised, so would the checksums.
The text was updated successfully, but these errors were encountered: