Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

Re: checksums WinSCP-5.19.2-Setup.exe do not match download

2021-07-26

Johnx wrote:

Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.

Thanks for your suggestion. WinSCP binaries are signed by long-lasting code-signing certificate.
https://winscp.net/eng/docs/installation#verifying

Johnx

2021-07-22 22:24

Thanks for checking @Jacob1! Yes, you're right, they match. Perhaps the hashtool I used didn't use the designated file.

Bug invalid, 2 enhancement requests left. :)

Jacob1

My hashes are as listed

2021-07-22 21:17

I downloaded the setup package via 2 different Sourceforge mirrors just now - both downloads produced the same hash as listed on the DL page.

Thumbs up for the 2 enhancements requests.

Johnx

checksums WinSCP-5.19.2-Setup.exe do not match download

2021-07-22 20:59

1 bug; 2 enhancement requests

Bug
The download page lists:

MD5: bc283773ee1947bd5b27a0e0a3de8525

SHA-1: 180b7d545db9d27334eafb77c99d308dda898a67

SHA-256: 402ef66d76d00bc08fbc1d92d2cfeb923e3b36452dd7958abfc6d7cd207395c5

The downloaded file has:

MD5: bacd0340266894cfcbc1b5dfe2a75a3e

SHA1: 4af648aa8de84d7405a83328dd19ea93019489c8

SHA256: 4a2ed177b820db55723433cc2770d554e20d7ecaae11bbf24cde496519874894

Enhancement req. 1:
Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.

Enhancement req. 2:
Also, you'd do good by removing reCaptcha to register or post. reCaptacha is Google, it's flawed and it only serves Google (get millions of people to work for free for Google by solving one puzzle for their AI project after another, to no end) and it's definitely not private and thus not secure. Please use a local server hosted verification method.

Post a reply

Topic review

Re: checksums WinSCP-5.19.2-Setup.exe do not match download

My hashes are as listed

checksums WinSCP-5.19.2-Setup.exe do not match download

Documentation

Support

Associations

Follow Us