Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Todd Zullinger
tmz at pobox.com
Tue Nov 24 18:06:03 UTC 2009
Jesse Keating wrote:
> Well, if you have to use a tool from the project, to verify other
> bits from the project, the verification just became a lot less
> trusted. If you don't trust the bits you got from the project, why
> would you trust the tool the project gives you to verify the bits?
> "Here use this tool to verify our bits. Trust us, we swear!"
At some point, people need to bootstrap. The situation now is that
there isn't a well trusted tool on Windows that we can point users to
for verifying the *-CHECKSUM files (if you know differently, please
let me know). I'd like to improve that by providing a sha256sum.exe
that we can provide source code for, just as any decent cryptographic
tool should have.
I also think it's important to keep in mind that the use for the
sha256sum.exe is to verify that the bits they downloaded are intact,
not that they have not been altered. To verify authenticity, checking
the PGP signature on the *-CHECKSUM file is required. We explain how
to do both on https://fedoraproject.org/verify. Many users,
especially Windows users, only care about verifying the data's
integrity.
I believe that providing a sha256sum.exe via https://fp.o/ is surely
an improvement over "Download the .iso and hope it works or check it
with some third-party checksum tool that we can't even hope to
verify."
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You will rue this day! Well, go on! Start ruing!
-- Stewie Griffin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20091124/863d75c7/attachment.bin
More information about the infrastructure
mailing list