Reputation: 62752
How do you check the integrity of downloaded open source files?
I would like to start checking that the open source projects that I am using in my apps are what the developers released. I noticed that many projects have a SHA1 and MD5 digests presumably these can be easily tampered with for example if a hacker replaces the orginial zip file on a mirror they can also replace the .md5 and .sha1.
How can I check the integrity of third party open source libraries that I depend on?
Upvotes: 2
Views: 2827
Answers (3)
Reputation: 17111
typically an open source project, although open to all to download and modify themselves, the ability to actually change the uploaded files is restricted to certain individuals governed by the project owner.
A good example is https://github.com/thecodemine/formwizard, where you can see a read-only link, but cannot modify directly unless authorised.
However you can fork the project to your own account and modify as you wish, for example https://github.com/AlexKey/formwizard
I'm also guessig on large open source projects like linux distributions for example, even code / files uploaded by authorised individuals will also go through stringent reviews before official release.
A hacker of course on comprosising a system could change files at will, but this isn't a weakness of an opensource model but instead could be a problem for any project.
Also things like Code signing help detect unauthorised modification.
http://en.wikipedia.org/wiki/Code_signing
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.
Upvotes: 1
Reputation: 216
I think , there is No trusted way for this, since the hacker may change the source files and its (md5 or sh1) files. He simply may replace the whole project with another one. so , download the source from trusted sites such as sourceforg and code.google.com and codeproject and mirrors recommended by these sites.
Upvotes: 2
Reputation: 1980
You have not Googled your question. If you do so you'll get a lot of content about it. The link below will teach you how to check the integrity of a downloaded file.
https://help.ubuntu.com/community/HowToMD5SUM
You may also check the following link, which shows that it is very difficult to modify or replace the .md5 and .sh1 files.
Upvotes: 0
Related Questions
- how to check if a file is signed or not?
- How do you verify a download of the Mercurial software?
- Download file and check integrity
- Signing binaries of open-source projects
- Signed binaries for digital signatures
- Verifying integrity of documents
- verifying a file signature with openssl dgst
- Open and verify signed documents
- How to check for a file's authenticity?
- tools for downloading software + automatically verifying integrity