WinSCP 6.3.3 wrong checksum

Advertisement

mrkayttaja
Joined:
Posts:
2
Location:
Finland

WinSCP 6.3.3 wrong checksum

I downloaded WinSCP 6.3.3 using this link:
https://winscp.net/download/WinSCP-6.3.3-Portable.zip/download

After unzipping: running certutil -hashfile WinSCP.exe SHA256 gives: c9a246861435ce2de81f4a9a498d35ffa0dc2ff44dbc8931226c904a910f5eb0
Running certutil -hashfile WinSCP.exe SHA1 gives: 734b5785f75b85df5314910fe0e9bf7d5500494e

Problem: https://winscp.net/download/WinSCP-6.3.3-Setup.exe/download says that the checksums should be:
SHA-256: 928dd0b8818b49106c344c937aad68d7893def75a5bf65d79aeb2cd566f239f7
SHA-1: af7f51adaf43be0d25f52e57100ff75895c4781b

Does the https://winscp.net/download/WinSCP-6.3.3-Setup.exe/download have wrong checksums or what is the case here?

PS. After installing WinSCP 6.3.3 and running it, WinSCP.exe tried to access folder %userprofile%\Documents\My Shapes\_private\

Digital signatures view says "‎This Digital Signature is OK. Name: Martin Prikryl. Signing time: Tuesday, ‎16 ‎April ‎2024 16.51.22". Operating system Windows 11.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: WinSCP 6.3.3 wrong checksum

The checksums on download pages are for the downloaded file. So the checksum at https://winscp.net/download/WinSCP-6.3.3-Setup.exe/download is for WinSCP-6.3.3-Setup.exe, which you didn't download.

The https://winscp.net/download/WinSCP-6.3.3-Portable.zip/download shows checksums for your WinSCP-6.3.3-Portable.zip.

Checksums for individual packaged files, like the WinSCP.exe, are not published.

Reply with quote

Guest

checksum for that exact WinSCP exe is indeed on my system:

C9A246861435CE2DE81F4A9A498D35FFA0DC2FF44DBC8931226C904A910F5EB0
compared to yours...
c9a246861435ce2de81f4a9a498d35ffa0dc2ff44dbc8931226c904a910f5eb0

So those two exe's are the exact same.

If you're suggesting that you're checking because it accessed a folder... its an application that requires access to any folder possible and its difficult to say why an exact folder was chosen.

Reply with quote

zbyszko
Joined:
Posts:
4

checksums

Martin is saying that published are checkums for the portable.zip file or setup.exe so you have to checksum .zip itself and not the extracted files which were unzipped.

Reply with quote

mrkayttaja
Joined:
Posts:
2
Location:
Finland

%userprofile%\Documents\My Shapes\_private\

Ok, thanks for the replies, this explains the checksum.

The reason I started digging in was that immediately after upgrading to the latest version of 6.3.3 the WinSCP.exe tried to access %userprofile%\Documents\My Shapes\_private\ for no obvious reason. I started to compare the executable to that one in zip package then, seems to be identical. Since I haven't by myself been exploring anything under Documents with WinSCP I got suspicious. Also, I haven't noticed earlier WinSCP versions having similar behavior of trying to access files under Documents or My Shapes folders.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: %userprofile%\Documents\My Shapes\_private\

Isn't that folder opened in some local panel of some tab?
How do you check what folders are being accessed by WinSCP? Can you post some logs/evidence?
If you want to dig deeper, I can send you a debug build to trace what folders are accessed and for what reason.

Reply with quote

Advertisement

You can post new topics in this forum