file tampering ? digital certificates ? file hash ?
how can I' tell if a setup install program from a developer wasn't tampered with by someone else,if theres no digital certificate or hash info provied for the setup install file ?
how do I' tell if the file has been tampered with ? without a digital security certificate or the files hash ?
signed
curious GEORGE
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
Scarily enough, I'm a pretty paranoid person already and I've never thought to look at that. In that case, the best idea is to run everything in separate Windows virtual machines, and backup/restore/wipe the data every usage.
Or not care.
(Sorry if that sounded sarcastic, but I was serious.)
Insert original signature here with Greasemonkey Script.
I' guess no sec certificate or hash info with setup file means no quarantee the file is safe ?
I' do run a virus scanner thou on setup programs
I usually provide a MD5 sum for my setup packages. Else it works on trust. So far the people that usually release app (Myself, wraithdu, ZachThibeau, JohnTHaller, and man, many many more) haven't gotten in trouble for doing that. We take pride in what we do and providing good clean software for all who whish it.
And by the way, it is a good thing to scan it. Do you use virus total and jotti?
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
I' use AVAST AV to scan my apps...it hopefully nows malware ?
I' guess thats what it's all about,trust...although I' don't no what crackers think think of unsigned code ? open and seek ? u-ha-ha-humm ?
virus total and jotti are online sites that allow you to upload a file and have it scanned by probably 25 scanners between the two of them.
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
VirusTotal has 41.
Insert original signature here with Greasemonkey Script.
cool pic of ur self http://www.simplexitynetwork.com/mr.soup12/me.jpg
a ha ha cool pic man...
There are risks involved.
I for one would never download a file from a new comer signed/hashed or whatever until he has proven himself over time, unless others who have good security procedures in effect have commented already.
Even with known folks, I scan all downloads thru Virus Total.
The problem with signing is that if the program had malicious content signing would not tell you that, and even if the program were not malicious, if the signer signed it without realizing it was infected with a virus that he did not know he had, it would have a valid signature, but still be infected.
Checksums/hashes only tell you if the download was successfully completed.
Signatures are only as trustworthy as the person who signed them.
If you are truly concerned I would say don't download apps from this site until they are Officially Released and signed.
And all of our Official Releases come from our servers on sourceforge , I would never download a version from MakeShift.com
Tim
Things have got to get better, they can't get worse, or can they?