I guess you could download it from the Jenkins job https://ci.inria.fr/pharo/job/Pharo-5.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/
although the job itself downloads over http from files.pharo.org… but Jenkins should be fine enough if you are worried about MitM between you and Pharo. For SHA you still need a secure connection assuming the website wouldn't get compromised, or digitally signed releases assuming the signing won't be misconfigured, or the keys won't get compromised. But I agree that this should be solved, or at least improved; but then again whole smalltalkhub doesn't use https and you are sending your credentials in plaintext over the network (have fun committing from a hotel room wifi)… security through obscurity can be incredibly efficient. Of course that means that we need someone with the time and knowledge that can invest effort into this. Peter On Wed, May 4, 2016 at 12:33 AM, Wilfred Hughes <m...@wilfred.me.uk> wrote: > Is there any way of downloading Pharo securely? > > I'm trying to download Pharo itself over HTTPS, so I know I can trust the > data: > > $ wget https://files.pharo.org/platform/Pharo4.0-linux.zip > --2016-05-02 22:44:34-- > https://files.pharo.org/platform/Pharo4.0-linux.zip > Resolving files.pharo.org (files.pharo.org)... 128.93.162.72 > Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443... > connected. > OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol > Unable to establish SSL connection. > > The excellent pharo zeroconf script doesn't seem available over HTTPS > either: > > $ curl https://get.pharo.org/vm50 > curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol > > Looking at the script itself, it's downloading files over HTTP from > files.pharo.org and executing them without verifying. I've explored > files.pharo.org, but I can't see any signatures or hashes (e.g. > sha256sum) of any of the files. > > The pharo homepage is largely available at https://pharo.org/ > (although some of the styling is missing due to being served over > HTTP). > > Have I missed something? Would it be possible to provide HTTPS and/or > sha256sums for downloads? > > > Wilfred > >
