checksums WinSCP-5.19.2-Setup.exe do not match download

Advertisement

Johnx
Joined:
Posts:
2

checksums WinSCP-5.19.2-Setup.exe do not match download

1 bug; 2 enhancement requests

Bug
The download page lists:
MD5: bc283773ee1947bd5b27a0e0a3de8525
SHA-1: 180b7d545db9d27334eafb77c99d308dda898a67
SHA-256: 402ef66d76d00bc08fbc1d92d2cfeb923e3b36452dd7958abfc6d7cd207395c5

The downloaded file has:
MD5: bacd0340266894cfcbc1b5dfe2a75a3e
SHA1: 4af648aa8de84d7405a83328dd19ea93019489c8
SHA256: 4a2ed177b820db55723433cc2770d554e20d7ecaae11bbf24cde496519874894

Enhancement req. 1:
Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.

Enhancement req. 2:
Also, you'd do good by removing reCaptcha to register or post. reCaptacha is Google, it's flawed and it only serves Google (get millions of people to work for free for Google by solving one puzzle for their AI project after another, to no end) and it's definitely not private and thus not secure. Please use a local server hosted verification method.

Reply with quote

Advertisement

Jacob1
Guest

My hashes are as listed

I downloaded the setup package via 2 different Sourceforge mirrors just now - both downloads produced the same hash as listed on the DL page.

Thumbs up for the 2 enhancements requests.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: checksums WinSCP-5.19.2-Setup.exe do not match download

Johnx wrote:

Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.
Thanks for your suggestion. WinSCP binaries are signed by long-lasting code-signing certificate.
https://winscp.net/eng/docs/installation#verifying

Reply with quote

Advertisement

You can post new topics in this forum