Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Installer not signed nor with MD5 hash

p82947
2010-07-06
2013-11-30
  • p82947
    p82947
    2010-07-06

    I'd have a much better feeling if the installer was signed or at least an MD5 hash given. As it is now, I cannot be sure whether the program got compromised or not. Especially such a pogram would be a worthy target to compromise.

    Please sign it, Dominik.

     
  • p82947
    p82947
    2010-07-06

    Ah, OK. Just saw the MD5 sums :)

     
  • DeanO
    DeanO
    2010-07-06

    P82947 - It would be safer to use SHA-1 to check the integrity of the installer as MD5 is much more susceptible to collisions. 

    http://www.mscs.dal.ca/~selinger/md5collision/

    Dean

     
  • Kistic
    Kistic
    2013-11-29

    DeanO is right. The MD5 algorithm has been severely compromised and should not be used for security. SHA-1 is secure, but signed installers are better. They are much easier to check, and can be safely run from user folders.

    Will you please sign the installer and extract any installation files to system temp folders (instead of vulnerable user temp folders)?

     
  • Paul
    Paul
    2013-11-30

    SHA-1 sums for all files are here: http://keepass.info/integrity.html

    cheers, Paul