Download verification SHA


#1

Hello friendly forum folks!

Today I downloaded KiCad 5** and I’m about to upgrade from 4.0.6! (I’m excited too.) Before I install it, though, I have a question. Often, when downloading software from a website, I like to check the provided SHA checksum against the SHA of the file I downloaded. I looked around the download page but didn’t find a SHA checksum. Is there somewhere else on kicad-pcb.org where such a string of gibberish may exist?

Thanks in advance!

** Or what I think is KiCad 5 … but nobody really knows what it is until I can verify the checksum of my copy … :thinking:


#2

I think this has been talked about and I thought it was in the process of being implemented months ago. I guess not? Maybe because it is mainly done through distros that should be taking care of this? Windows would be the possible exception I guess.


#3

The verify checksum stuff has always had me a little confused. If your connection to a website was intercepted and they where able to feed you a dud download link. They could likely alter the SHA the webpage displays aswell.


#4

I hope you’re right and it will be implemented some time. I just checked the download pages for macOS, Windows, and randomly selected variations on Linux, and didn’t see a checksum for any of them. :frowning:


#5

That’s a fair point. I suppose, like any security measure, it raises the bar just that much more and makes it a little harder to do bad things.


#6

The Windows installers are signed.


#7

With https becoming more common it may be less important. You have a third party verifying the connection which is much better than relying on a key that could be compromised in the same way the original file was. It seems to me the best use of the key would be to keep it private and and run a background check every so often to make sure someone hasn’t found a way to tamper with the file.


#8

Unfortunately, that doesn’t prove the downloaded exe is genuine, merely that someone has obtained a certificate and signed it. Since we are not told who the exe should be signed by, a user can’t check. I have no idea who “Simon Richter” is. It might be easier to trust if it was by “KiCad Organization” or something instead of an individual.


#9

It works for simple download error check. Real security needs something else. See e.g. https://help.ubuntu.com/community/HowToSHA256SUM and https://help.ubuntu.com/community/VerifyIsoHowto. The problem with security is that it’s always complex or difficult, not simple and easy, and therefore most people never bother to do things in a secure way.


#10

I agree that an organization certificate would be a lot better, but it requires a formal organization, which we don’t have. The closest thing that exists is CERN holding a few assets for the project.

Until that exists, it’s basically still an open-source project made up of individuals.


#11

An example of where a SHA would be useful is the original 5.0.0 Windows release and the one that followed the next day. Both were “5.0.0” and not easy to tell apart.


#12

Good point. I think I might be able to scrounge something up using the Jenkins “fingerprint” API, which allows finding the build responsible for a file with a particular checksum, but it will be a few days until I find time for that.