Signed Checksums

NachoLibre · April 29, 2016 at 3:41 PM

I like the work that LibreELEC puts out but I can't help notice that the install files are served in cleartext (HTTP) without providing any signed checksums. As it stands, there's no way to verify if the files I downloaded are corrupted or tampered with. If you'd like an idea of what I'm asking for, checkout the FreeBSD project and how they handle this. The project has a security team where each member has a GPG key that they use to sign text files or emails. In this case, they sign a file containing checksums for each file. With this setup, I can verify the checksums of any file in question and verify the integrity of the checksums thanks to it being signed.

Relevant Links:
FreeBSD 10.3 Release Checksum Signatures
PGP keys

Peter Nowee · December 18, 2016 at 3:11 PM

Quote from NachoLibre

I like the work that LibreELEC puts out but I can't help notice that the install files are served in cleartext (HTTP) without providing any signed checksums. As it stands, there's no way to verify if the files I downloaded are corrupted or tampered with. If you'd like an idea of what I'm asking for, checkout the FreeBSD project and how they handle this. The project has a security team where each member has a GPG key that they use to sign text files or emails. In this case, they sign a file containing checksums for each file. With this setup, I can verify the checksums of any file in question and verify the integrity of the checksums thanks to it being signed.

Relevant Links:
FreeBSD 10.3 Release Checksum Signatures
PGP keys

+1

**chewitt** · December 18, 2016 at 4:29 PM Official Post

We do publish checksum data (append ?mirrorlist to any download file URL or click the 'info' links on download pages) but that data comes from the same server as the files so fails the "could be tampered with test" and files are not served over https as we use mirrorbrain to geo-distribute downloads and avoid massive bandwidth/hosting charges - the mirrors you get files from are all http-only and outside our control. Signing is in the to-do list but I apologise and confess that rightly or wrongly it's not currently a high priority item in the list. We have quite a few other hosting/back-office things that need attention first but we'll get there eventually..

**lrusak** · December 18, 2016 at 9:08 PM Official Post

md5 sums are provided inside the img or tarball. There are md5 sums for the kernel and for the squashfs root.

I know it's not gpg signed but at least this prevents corrupt downloads.