It is currently July 7th, 2020, 4:15 am

MD5 Checksum

Discussion about the documentation, main Rainmeter site and forums.
User avatar
Jeff
Posts: 140
Joined: September 3rd, 2018, 11:18 am

MD5 Checksum

Post by Jeff »

Kind of a small thought but because of Rainmeter's Open Source nature someone can always repackage malicious code in Rainmeter. With that in mind, there is nothing on the site telling the user the installer's hash, the most reliable way for tech-savvy people that are super worried about security is getting the installer from the Github repo and checking that one's hash.
Plugins are also open source, this is probably far reaching since the user can download the plugin off the forum and compare the checksum between it and their installation, asking devs to add the hash (if they want) could also be niche.
Just... uhhhh... something that crossed my mind :P

(totally not thinking about the chocolaty incident, though they improved the process since then)
User avatar
jsmorley
Developer
Posts: 20995
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: MD5 Checksum

Post by jsmorley »

With each and every build, we apply a paid and professional digital certificate from COMODO CA Limited to all the executable files in Rainmeter, including the installer itself. The SHA256 used by the certificate is a whole bunch more secure than just sharing some MD5 Checksum value on the website.

Using MD5 is entirely discouraged for any "security" purpose. Has been for quite a while.

Please right-click any of the .exe files, use Properties / Digital Signatures to see details.
User avatar
balala
Rainmeter Sage
Posts: 10968
Joined: October 11th, 2010, 6:27 pm
Location: Gheorgheni, Romania

Re: MD5 Checksum

Post by balala »

Jeff wrote:
June 18th, 2020, 4:14 pm
Kind of a small thought but because of Rainmeter's Open Source nature someone can always repackage malicious code in Rainmeter.
Beside jsmorley's technical information, I think this is why users should always download the Rainmeter installer only from https://www.rainmeter.net/. I suppose if they do so, the downloaded package can't have malicious code
User avatar
Jeff
Posts: 140
Joined: September 3rd, 2018, 11:18 am

Re: MD5 Checksum

Post by Jeff »

jsmorley wrote:
June 18th, 2020, 4:52 pm
With each and every build, we apply a paid and professional digital certificate from COMODO CA Limited to all the executable files in Rainmeter, including the installer itself. The SHA256 used by the certificate is a whole bunch more secure than just sharing some MD5 Checksum value on the website.
Please right-click any of the .exe files, use Properties / Digital Signatures to see details.
Makes sense, I even remember now seeing the certificate renew post on the forum but my brain just went poof somewhere down the line
balala wrote:
June 18th, 2020, 6:26 pm
I suppose if they do so, the downloaded package can't have malicious code
I was thinking of the Chocolatey situation where it used to be packaged with MSIAfterburner and didn't specify the site for download, of course they have changed since then, the installation process is just a Powershell script that downloads the installer form the official site and use AutoHotKey to automate the process (and it gained a trusted package checkmark some time ago). I was thinking having a middleman somewhere to confirm the validity would have done it for more paranoid people (doesn't make sense the more I think about it), but with what js specified earlier with the technical lingo everything should be fine.
The question is for sites like rainmeter.cn (when it's not under DDOS attack) how are people gonna make sure the installer is safe if they don't know about rainmeter.net and only the chinase site (github is also blocked in china so no mirror download or chocolatey install for them). The problem is the great firewall and not the dev team's problem here.