Checksums for downloads (to ensure download integrity)
flux-fan last edited by flux-fan
Hi, this is a issue for all versions of f.lux.
May the web site also include the SHA1 checksum of f.lux downloads so we can check that the file we're downloading hasn't been compromised?
Earlir this year Handbrake had an issue where their mirror servers were compromised and served users malware as a result. I don't know how f.lux deliveries its downloads to us, but by providing us SHA1 checksums, we can at least verify the file we've downloaded is what was intended. (It's also useful if the SHA1s are on Github or Twitter so an attacker would need to gain access to multiple accounts to deceive users.)
Handbrake issue: https://www.macrumors.com/2017/05/07/handbrake-app-security-warning-servers-hacked/
Handbrake's checksum page: https://github.com/HandBrake/HandBrake/wiki/Checksums