LibreELEC.tv icon indicating copy to clipboard operation
LibreELEC.tv copied to clipboard

Published 20 hours ago verified publisher icon LibreELEC

Please provide checksum in order to validate downloads from the website

Open iio7 opened this issue 3 years ago • 5 comments

As the title says. It's impossible to validate a download. You need to provide at least sha1 checksums and some proper way of validation. These checksums cannot reside on the website because if the website gets compromised, so would the checksums.

iio7 avatar Mar 14 '22 22:03 iio7

We currently just offer https://releases.libreelec.tv/LibreELEC-RPi4.arm-10.0.2.img.gz?mirrorlist (https://....?mirrorlist) to view the sha256. Ofc this is not safe against compromising attacks, same goes to github and the website.

ideas welcome :)

CvH avatar Mar 15 '22 07:03 CvH

I suggest looking through some of the other open source projects to see how they do it, and then find one of the models that best suit your project. It's a must have.

iio7 avatar Mar 17 '22 00:03 iio7

@CvH we already generate sha256 of the image. We can just copy them over to the mirrors when copying the image?

lrusak avatar Mar 17 '22 01:03 lrusak

@lrusak Hashes on the same server as the images are not trusted as an attacker who compromises the server can post a bad image and matching hashes. So we need to publish them from a different location, i.e. include them in the website blog post. I think we just need to update the JSON update script so they also generate the content needed for the blog post.

chewitt avatar Mar 17 '22 04:03 chewitt