Sublime Forum

Checksums and signature for downloads

#1

Where are they? Downloading an executable over HTTP from a CDN without the ability to verify the integrity of the executable is mad.

Please sign your executables and provide secure access to the signature file. I am also looking for SHA256 hashsums of the executables.

Thank you.

0 Likes

Unable to install Sublime Text using Yum due to missing checksum
#2

I strongly agree with OP.

1½ years later and this information still doesn’t appear alongside the downloads.

Please publish signatures with your downloads!

0 Likes

#3

We not longer utilize a CDN and serve the downloads from a server wholly controlled by us, over TLS.

3 Likes

#4

That might be the case - but I still have no way to check packages on my end.

Without PGP signatures and/or hashsums along with the packages I can’t attain a reasonable degree of confidence that the file I have received was published by you and that the file integrity remains.

These are commonly used tools. They exist for good reasons.

If this doesn’t sound like a problem to you, then I am not sure what arguments would convince you…

0 Likes

#5

If you can’t trust our TLS connection, there is no way to securely send public keys or checksums… so I guess you’ll just have to trust it.

3 Likes

#6

I am ok with the status quo. While the download was available only over a CDN, this was different.
You are right, if you sign the files and put the signature and a link to your public key on your server there is not much gained.

  • A states actor able to intercept my packets could still spoof a DNS reply, sending me to their own server. This redirection would only make sense if they are able to forge valid TLS certs for your CA. Once I am on their doppelganger server, they would swap the executable for an infected one, signed by their own spoof public key. But remeber, from there on they would have to redirect me every time I try to connect to sublimetext.com, or else I would get hold of the original executable, which would be signed by the actual author of SublimeText, thus the spoofed public key from the states actor would not match, and I get a warning of an unmatched signature, altering me.
  • The other threat are hackers, hacking your server and swapping the executable for an infected one. As actually happened with the BitTorrent client Transmission for Mac. Their server got hacked and the hackers swapped the client for an infected double. The funny part, the authors signed their exec, as “required” for Mac software. But the hackers signed the infected file with a valid key too :smiley:. Probably stolen from a Turkish software developer. So there was no big value in the Apple/Mac signature, as no one knew the developers public signing key. The Mac just tested for a signature made by a valid key signed by Apple. Apple didn’t take into account that a hacker could steal the private key of a clueless software developer, to sign software.

But there are still reasons to sign the executable:

  • If Apple would do certificate pinning, once a software gets installed, the hackers of the Transmission software’s server could not have played as they did.
  • If the developers of Transmission would have published their public key on Twitter & Co., the paranoid among their users could have detected the disparity of the signing key on the download site and the one on Twitter. As it is safe to assume that it would not be as trivial to hack the software developer’s server AND get hold of the password for their Twitter, Facebook and Google+ account to swap the key everywhere. The developers of VeraCrypt do that.

I totally understand if you opine that it’s not worth the hassle, but let me ask this. If I would develop a system for developers to automate the process of signing and pub key distribution, would you have any wishes?

0 Likes

#7

EDIT: It can be assumed that it would be harder for a states actor too, to be in control of the CA for sublimetext.com’s CA, Twitter’s CA, and so on. As they would have to generate spoofed keys for all those sites to covertly redirect me, if I query those sites to have a look at the pub key deposited there.

sublimetext.com has a cert from COMODO
twitter.com from Symantec
facebook.com from DigiCert
google.com from… Google :slightly_smiling:

The chances are low that they can forge keys for all of them.

Defending against a states actor is security theater nonetheless, so the main purpose is to thwart server hacks as happened with Transmission.

0 Likes

#8

Just for the record, the Sublime Text application is signed on OS X and Windows, where an OS binary signing system is provided. The installer on Windows is also signed.

0 Likes

#9

Claiming that we have to trust the TLS connection because otherwise nothing can be trusted is a false statement.

As pointed out, in a scenario where the private signing key remains secure and the public key has been spread across multiple platforms secured by other encryption keys, a TLS connection is not even required for the user to detect an invalid file with reasonable confidence. Since the public key can’t validate the false packages and package signatures, I would be able check for myself. So either I happily conclude that the downloaded packages are not corrupted and have valid integrity and go on to install them, or I will know that they are likely compromised and that I should not install them.

As pointed out, the signatures added to Windows and OSX installers provides, at best, only superficial security, at worst, gives a false sense of security, since the OS only checks whether the signature is valid and not whether it is the signature held by the software developer. Also, it leaves Linux users hanging with no way of checking whether the files you offer for download are the files you think they are.

0 Likes