Suggestions: post official SHA256 signatures of each release

[Suggestions]

Post the SHA256 hashes of every release and downloadable version!

That or PGP signatures

<3

[Tom T.]

No objection here, although I'd go with SHA. Lightweight freeware is available to match signatures of hash algorithms, but IDK if access to PGP is that easy for those who aren't already using it for encrypted e-mail. If there are free, standalone apps that can check PGP sigs, equally light (HashCalc is 1 MB and can be run directly from a flash drive, no install required), do let us know.

On updates, would you be looking at the .xpi in the Temp directory before restarting, and running it through (whatever) to compare sigs before the restart?

It should be helpful that both the original install and all updates are delivered from HTTPS sites by HTTPS connections, but being a tinfoil-hatter myself, you can't be too cautious.

[Tom T.]

Synchronize watches:

latest development build 2.3.7rc3 = a8eeaeabd1932a25d5dc0a2e55c44140c37286f5e86be5c8a1ea24627992a43c

SHA-512 = 3a46834ad5cc674f4fc46e86596e94b84d09bb2bc44b3c81c09c902ad2fcd339edda754065aab5e911ac815b0386e3d287f7edc24eb787d4ebc79f6f879084a7

Latest stable release 2.3.6 = c9cba045269cfda1b3406ff8a51095127d3583aaf2f8ee52a3dca918f63abab5

SHA-512 = b17ffdfd2feabe26c97b852f9b627f8039f6a7438988d1e82707f6727262a87951b3ef462b77c9573d8c54b0983b1e2e01d244062867352f5804ad672a3ed8e3

Check?

[Suggestions]

This should be maintained in the front page and perhaps have a script to a hash application collect the .xpi SHA256 and posts the text string to the website. To be trusted if posted by the official core developer/compiler himself.

[dhouwn]

How would you know if you can trust the hashes you see?

[jyoung]

How would you know if you can trust the hashes you see?

If served by HTTPS and posted on the official Noscript website by the administrator...

[Tom T.]

How would you know if you can trust the hashes you see?

This has always been my concern with sites that give SHA, or even MD5 ( - obsolete) checksums, but serve them on HTTP pages.

E. g., PortableApps.com. I love those guys, but since the checksum/hash is on an insecure page, how do I know that someone hasn't tampered with the d/l, hashed it, then tampered with the page to make the new hash match the tampered d/l?

Agree that the best way is to put it on an HTTPS page -- which this entire forum is NOT.
However, Giorgio already has a secure sub-domain, https://secure.informaction.com/* , used to serve the latest development build, and as a direct d/l for stable releases (to supplement the also-secure AMO link.)

So there shouldn't be much more overhead in adding one more page there, with checksums for each stable/dev build.

The Question Is: How many users would actually make use of this, before we ask Giorgio to go to this additional trouble?

Responses, please, whether you *seriously* would use this. And if you wouldn't, that's of interest too.


p. s.: @ Suggestions: Did you get the same SHA hashes I did?

[JohnB]

before we ask Giorgio to go to this additional trouble?

Generating SHA256 sums with some scripts and let cron jobs take care of it on a daily basis should be easy.

I strongly support HTTPS and stronger hash signatures.

There should be a PGP key too.

[Tom T.]

...before we ask Giorgio to go to this additional trouble?

Generating SHA256 sums with some scripts and let cron jobs take care of it on a daily basis should be easy.

It shouldn't be daily; it needs to be in real time as the update or whatever is released; else to those who rely on the hash, the update is useless until the hash is posted.

There is also an additional expense for bandwidth, depending on how many users access the hash page. Please keep in mind that Giorgio is bearing the entire cost of hosting this site separately, as opposed to its original location as a *single topic* at Mozilla forum. Donations and the ads at the NS home page have to cover this, and how many people do donate?

I strongly support HTTPS and stronger hash signatures.

There should be a PGP key too.

Thanks for the support comment on hashes. IMHO only, PGP is duplicative. As mentioned, anyone can get a free hash calculator that requires no install. Installing PGP isn't so simple. If you don't trust the hash, why trust the PGP? Again, IMHO. Thanks for reply.