Are verbs allowed to download files with SHA256 sums provided from a developer's website?
WheezyE opened this issue · comments
Hi there,
I would like to add a verb to winetricks for a radio modem called VARA, but the developer updates it a lot and future versions break compitability with older versions. The developer does not provide an auto-update feature within VARA, so I cannot have winetricks just install an old version and have it auto-update.
I would like to write a winetricks verb that retrieves an SHA256 hash from the developer's website (haven't figured out how to do that POSIXly yet) and then uses that hash to download from a static location (for example, something like: https://downloads.winlink.org/VARA%20Products/VARA%20HF%20setup%20latest.zip - I'll talk to the website admins about adding a static link).
Does that sound feasible at all?
Hi there,
I would like to add a verb to winetricks for a radio modem called VARA, but the developer updates it a lot and future versions break compitability with older versions. The developer does not provide an auto-update feature within VARA, so I cannot have winetricks just install an old version and have it auto-update.
You could point to an archive.org snapshot instead, but that has its own issues (it often is under heavy load and sometimes fails).
I would like to write a winetricks verb that retrieves an SHA256 hash from the developer's website (haven't figured out how to do that POSIXly yet) and then uses that hash to download from a static location (for example, something like: https://downloads.winlink.org/VARA%20Products/VARA%20HF%20setup%20latest.zip - I'll talk to the website admins about adding a static link).
Does that sound feasible at all?
Not really, as that defeats the purpose of recording the known checksum (if an attack controls the domain you're downloading from, they also control the checksum, so they can change both). The checksum is optional, so you could just skip it.
That's a good point that the hash could be compromised if a server was compromised. I didn't know that SHA256 was optional. That's great info that I think I'll be able to leverage for one of my own projects. Thank you! I'll close this issue.