Checksums for downloads?

[CommitedHoneyBadger]

Could you provide the SHA256 or SHA512 checksums for file downloads?
Would be much appreciated to verify integrity.

[GitHubRulesOK]

there would be 6 checksums per day release but none would necessarily prove anything the simplest check is usually virus total

HOWEVER taking the current 32 bit release the result will include a false positive so what value is the SHA it works or fails the loaded signature test. And really there is nothing wrong.

https://www.virustotal.com/gui/file/3742ea75980ab132eeb84bc2d3a569a3919ff5dd5a000b820e982eeebf4f1dd1/details

[CommitedHoneyBadger]

Thank you for the reply. Great PDF reader by the way. It's fast, provides a great index and just works... perfect for what I need. So, to anyonewho cares about security, tampering with artifacts is a real concern. If someone intercepts and changes the package from the CDN or storage location, noone would notice unless there is a SHA256 (not SHA1!) provided and served from a different location thatn the file storage. I can't really understand what you mean by the virustotal part. If you mean the virustotal SHA values would prove integrity, I beg to differ. I need the SHAs from you - if I am to trust it. Automating it through an upload script would suffice. I assume you have an automated build setup. That setup could generate the SHA256 and deliver it as an artifact. Your script grabs it and uploads to a different storage location than the file repos. That does the trick... Thanks.

…

-- Egil Rausner ***@***.*** Tlf.: +45 29 877 999 http://www.linkedin.com/in/egilrausner

On Thursday, 10 July 2025 at 3:37 PM, GitHubRulesOK ***@***.***> wrote: there would be 6 checksums per day release but none would necessarily prove anything the simplest check is usually virus total HOWEVER taking the current 32 bit release the result will include a false positive so what value is the SHA it works or fails the loaded signature test. And really there is nothing wrong. https://www.virustotal.com/gui/file/3742ea75980ab132eeb84bc2d3a569a3919ff5dd5a000b820e982eeebf4f1dd1/details — Reply to this email directly, [view it on GitHub](#5017 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/BFSOJ2DK4POOYLSWIKDA7JT3HZUBBAVCNFSM6AAAAACBGWGVM2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZSGEYDINA). You are receiving this because you authored the thread.Message ID: ***@***.***>

[kjk]

I don't provide them because if someone hacks my website and modifies the files, they can also modify the checksums.

[CommitedHoneyBadger]

And that would be harder than simply replacing the binaries. I disagree, and I urge you to provide the SHAs.

…

-- Egil Rausner ***@***.*** Tlf.: +45 29 877 999 http://www.linkedin.com/in/egilrausner

On Thursday, July 10th, 2025 at 4:54 PM, Krzysztof Kowalczyk ***@***.***> wrote: I don't provide them because if someone hacks my website and modifies the files, they can also modify the checksums. — Reply to this email directly, [view it on GitHub](#5017 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/BFSOJ2A7PWW5BR6SRKOXOJT3HZ5ATAVCNFSM6AAAAACBGWGVM2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZSGE4TAMQ). You are receiving this because you authored the thread.Message ID: ***@***.***>

[GitHubRulesOK]

Same as PDF security is a false concept (since ALL are editable files even after signing or securing)
So is the use of Hashes all it proves is some exploit has a SHA of any number even 1024 or 512 or 256 or 1.
Basically it lulls people into a false sense of security. Here is a SHA so trust me.

The use of file signature is supposed to be the correct way to indicate no tampering, but I too can sign a PDF or EXE file as if you.
Hashes were ESSENTIAL in the days of Wells Fargo Telegraph transmits but modern transmissions usually indicate a corrupted file and that is what a HASH does confirm the exploit is still an exploit.

[CommitedHoneyBadger]

I work in security. I know for sure, nothing is secure. Which is also why I'm asking for a SHA. It's not about SHA being some holy grail. It's about putting enough hoops and checks in place to make it sufficiently difficult to hack. Defense in depth. A SHA doesn't prevent someone from hijacking your account as a developer, spearfishing your credentials, injecting themselves in your pipeline and taking over certificates and infrastructure for signing your binaries and infecting my and other user's computers. My sense of security is in no way lulled by a SHA. But it does make it one​ step more difficult to just replace the binary with a malware infected one. You have a lock on your door, I presume. Most people do. You probably also lock it when you leave, and close the windows. But you might not have a steel padded, reinforced door with five locks and biometric, fob and pin to enter. I'd be much surprised if you did. That small thing... locking the door, is that lulling you into believing you are safe? Anyone can break in and take whatever they want - right? But you lock your door anyways. Because it prevents people from just opening the door and taking anything they want. Maybe you even have a burglar alarm. Next level security. You have a password and pin on you laptop and phone. And maybe a GPS tracker on your most precious belongings. You make it difficult to just take your stuff. So... My point is: Instead of arguing that a SHA doesn't make your software secure, start improving your security piece by piece. And I would absolutely love a SHA, if you provide one. But I won't replace any SHA you provide for a virus and malware scanner and checking whether your binary is signed, checking my network traffic for malicious activity, sink holing outbound DNS and so forth. But it will make me believe you made an effort. Thanks.

…

On Thursday, July 10th, 2025 at 10:25 PM, GitHubRulesOK ***@***.***> wrote: Same as PDF security is a false concept (since ALL are editable files even after signing or securing) So is the use of Hashes all it proves is some exploit has a SHA of any number even one billion. Basically it lulls people into a false sense of security. Here is a SHA so trust me. The use of file signature is supposed to be the correct way to indicate no tampering, but I too can sign a PDF or EXE file as if you. — Reply to this email directly, [view it on GitHub](#5017 (reply in thread)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/BFSOJ2DSVR26KF5M4GMWRSL3H3D45AVCNFSM6AAAAACBGWGVM2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZSGQ4TOOI). You are receiving this because you authored the thread.Message ID: ***@***.***>