MD5 Checksum

[Jeff]

Kind of a small thought but because of Rainmeter's Open Source nature someone can always repackage malicious code in Rainmeter. With that in mind, there is nothing on the site telling the user the installer's hash, the most reliable way for tech-savvy people that are super worried about security is getting the installer from the Github repo and checking that one's hash.
Plugins are also open source, this is probably far reaching since the user can download the plugin off the forum and compare the checksum between it and their installation, asking devs to add the hash (if they want) could also be niche.
Just... uhhhh... something that crossed my mind :P

(totally not thinking about the chocolaty incident, though they improved the process since then)

[jsmorley]

With each and every build, we apply a paid and professional digital certificate from COMODO CA Limited to all the executable files in Rainmeter, including the installer itself. The SHA256 used by the certificate is a whole bunch more secure than just sharing some MD5 Checksum value on the website.

Using MD5 is entirely discouraged for any "security" purpose. Has been for quite a while.

Please right-click any of the .exe files, use Properties / Digital Signatures to see details.

[balala]

Kind of a small thought but because of Rainmeter's Open Source nature someone can always repackage malicious code in Rainmeter.

Beside jsmorley's technical information, I think this is why users should always download the Rainmeter installer only from https://www.rainmeter.net/. I suppose if they do so, the downloaded package can't have malicious code

[Jeff]

With each and every build, we apply a paid and professional digital certificate from COMODO CA Limited to all the executable files in Rainmeter, including the installer itself. The SHA256 used by the certificate is a whole bunch more secure than just sharing some MD5 Checksum value on the website.
Please right-click any of the .exe files, use Properties / Digital Signatures to see details.

Makes sense, I even remember now seeing the certificate renew post on the forum but my brain just went poof somewhere down the line

I suppose if they do so, the downloaded package can't have malicious code

I was thinking of the Chocolatey situation where it used to be packaged with MSIAfterburner and didn't specify the site for download, of course they have changed since then, the installation process is just a Powershell script that downloads the installer form the official site and use AutoHotKey to automate the process (and it gained a trusted package checkmark some time ago). I was thinking having a middleman somewhere to confirm the validity would have done it for more paranoid people (doesn't make sense the more I think about it), but with what js specified earlier with the technical lingo everything should be fine.
The question is for sites like rainmeter.cn (when it's not under DDOS attack) how are people gonna make sure the installer is safe if they don't know about rainmeter.net and only the chinase site (github is also blocked in china so no mirror download or chocolatey install for them). The problem is the great firewall and not the dev team's problem here.