DOSBox digital signatures or official file hashes

General information and assistance with DOSBox.

DOSBox digital signatures or official file hashes

Postby malicious » 2018-10-28 @ 20:10

The thread on an alternative download site for DOSBox brought up an interesting question, that is how to trust an unofficial mirror with no established reputation. The suggestion to ask the developers for their blessing before putting up such a mirror is well and good as a matter of courtesy but that alone doesn't solve the problem. Even if the developers have the time and interest to audit a fan site once for initial approval, they would also need to repeat the process on an ongoing basis to ensure that the site remains a trustworthy source for the project's files. My guess is the DOSBox developers don't want that extra work.

Another possible solution is to digitally sign files or provide official cryptographic hashes for them. That would allow users to verify the integrity of the files regardless of where they're downloaded from, be it a fan site or SourceForge should they experiment with injecting adware into project files again.
malicious
Newbie
 
Posts: 4
Joined: 2018-9-18 @ 17:17

Re: DOSBox digital signatures or official file hashes

Postby Yesterplay80 » 2018-10-29 @ 08:37

malicious wrote:Another possible solution is to digitally sign files or provide official cryptographic hashes for them.

Tada! :wink:
DOSBox checksums on SourceForge.JPG
My full-featured DOSBox SVN builds (without debugger) for Windows: Vanilla DOSBox and DOSBox ECE (Enhanced Community Edition)
User avatar
Yesterplay80
Member
 
Posts: 361
Joined: 2016-2-23 @ 11:02
Location: Germany

Re: DOSBox digital signatures or official file hashes

Postby malicious » 2018-10-30 @ 00:46

Thanks, I wasn't aware SourceForge has that feature. Given their past shenanigans, however, those hashes would be more reassuring on dosbox.com.
malicious
Newbie
 
Posts: 4
Joined: 2018-9-18 @ 17:17

Re: DOSBox digital signatures or official file hashes

Postby Kerr Avon » 2018-11-04 @ 15:02

Would it be possible to make the (legitimate) file, when run, check itself to make sure it's not been modified in any way, and if it has been altered then it could stop installation and say

"Warning: This file has been modified, possibly maliciously, and so installation has been aborted.

Instead, download the legitimate version from https://www.dosbox.com/
"

Granted, if whoever modified the file were skilled enough, then he could alter the checksum or bypass the check altogether, so it might necessitate some sort of encryption of the checksum routines, though since we're talking about a freeware program and not a commercial game then at least it wouldn't be a target for either the "Look how clever I am" hackers, or the talented (but misguided) hackers who hack commercially games' protection systems.
Kerr Avon
Member
 
Posts: 466
Joined: 2007-6-29 @ 14:33

Re: DOSBox digital signatures or official file hashes

Postby collector » 2018-11-04 @ 15:10

That is already part of NSIS, the install system that DOSBox uses. Of course there is nothing to prevent someone from repacking the contents into their own installer. But that would be the same possibility with any install system.
User avatar
collector
l33t
 
Posts: 4253
Joined: 2003-1-15 @ 10:39


Return to DOSBox General

Who is online

Users browsing this forum: No registered users and 2 guests