Why don't team use checksum (md5 or sha1) on theirs releases?

Discussion in 'Lounge' started by Windows97, Jan 17, 2022.

  1. Windows97

    Windows97 Ultrasonic

    Joined:
    Mar 14, 2016
    Messages:
    78
    Likes Received:
    30
    Location:
    Brazil
    Thinking this i just realized that could decreased downloads/views on the sister site, others mirrors could be used with no fear of byte manipulation/injection, there's others negative things?

    The positive side is that releases on aging process and falling apart from official mirrors, can be verified if found in other places, keeping there's trust, no DMCA will be enough.

    The Digest (made by md5 or sha1 algo) could be encrypted with a team private key, and decrypt with an team public key (that any one could have) on an asymmetric encryption.

    It's maybe utopia, i don't have a clue if could work, you have a opinion?
     
  2.  
  3. demberto

    demberto Rock Star

    Joined:
    Nov 27, 2018
    Messages:
    931
    Likes Received:
    325
    That is smart, since plain text md5 / sha1 can itself be changed as well making that useless

    R2R has a certificate system, if you have installed the certificate, all legit R2R releases (except the exceptions which they mentioned in their NFO) will show up as from a "trusted" source when installer is opened asking for admin rights on Windows.

    VR encrypts its installers and uses its own version of Inno Setup, I never saw a VR keygen. They patch binary directly. So its impossible for anybody to directly patch the setup unless he knows how to unpack VR setup. Someone with decent RE knowledge can probably do it tho
     
    • Interesting Interesting x 1
    • List
  4. Windows97

    Windows97 Ultrasonic

    Joined:
    Mar 14, 2016
    Messages:
    78
    Likes Received:
    30
    Location:
    Brazil
    I missed this release but found now on the sister site, a lot better than my idea, thanks!
     
Loading...
Loading...