With PKI involved it would be even better, as one could verify authenticity and integrity of the files (as you wrote). It's of course important to maintain the integrity, however my in my initial post I rather meant verification of authenticity of the file. So using PKI (whatever, can be GPG) would be best. Give it a thought guys.
On Friday, March 30, 2012 8:43:25 AM UTC+2, William Budington wrote: > > Realistically, a hash function alone would only verify file integrity, > not authenticity. An attacker could still man-in-the-middle the > download page at any point and forge the checksum. If your threat model > is an attacker, it would be best to take the checksum and sign that file > with a trusted gpg key, making the public key widely available. That > way if your connection is later man-in-the-middled, the attacker would > also need the secret key to look legitimate. > > If file integrity is your only concern, an md5 should suffice. > > On 03/29/2012 11:14 PM, dvbportal wrote: > > Ideally, the sums would also be displayed on the download page. A forger > > could create a manipulated package with matching sum files in the dist > > folder, but he cannot publish those sums on the official download page. > > > > On Friday, March 30, 2012 5:31:09 AM UTC+2, Isaac Schlueter wrote: > >> > >> It would be easy enough to put the shasum and md5 as files in the dist > >> folder. Would that be satisfactory? > >> > >> On Thu, Mar 29, 2012 at 17:55, Nathan Rajlich <[email protected]> > >> wrote: > >>> It's possible he means MD5 hashes. I've thought about this too; ideally > >>> node-gyp would verify the tarballs it downloads with an MD5 hash. > >>> > >>> > >>> On Thu, Mar 29, 2012 at 5:49 PM, Bert Belder <[email protected]> > >> wrote: > >>>> > >>>> On Mar 29, 4:53 pm, Błażej Pawlak <[email protected]> wrote: > >>>>> Hi, > >>>>> > >>>>> Do you intend to sign the archives available for download from > >>>>> nodejs.org > >>>>> (sources, macos package, windows package, etc.) at some point? > >>>>> It would be great to ensure that everything is in order with the > >>>>> download > >>>>> :-) > >>>>> > >>>>> Cheers! > >>>>> Błażej > >>>> > >>>> The windows msi package and node.exe binary are already signed. I am > >>>> not sure how a signed source tarball would work. > >>>> > >>>> -- > >>>> Job Board: http://jobs.nodejs.org/ > >>>> Posting guidelines: > >>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > >>>> You received this message because you are subscribed to the Google > >>>> Groups "nodejs" group. > >>>> To post to this group, send email to [email protected] > >>>> To unsubscribe from this group, send email to > >>>> [email protected] > >>>> For more options, visit this group at > >>>> http://groups.google.com/group/nodejs?hl=en?hl=en > >>> > >>> > >>> -- > >>> Job Board: http://jobs.nodejs.org/ > >>> Posting guidelines: > >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > >>> You received this message because you are subscribed to the Google > >>> Groups "nodejs" group. > >>> To post to this group, send email to [email protected] > >>> To unsubscribe from this group, send email to > >>> [email protected] > >>> For more options, visit this group at > >>> http://groups.google.com/group/nodejs?hl=en?hl=en > >> > > > > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
