DOSBox digital signatures or official file hashes \ VOGONS

DOSBox digital signatures or official file hashes

Topic actions

Post a reply

First post, by malicious

Posted on 2018-10-28, 20:10

malicious Offline

Rank Newbie

Rank: Newbie
Posts: 4
Joined: 2018-09-18, 17:17

The thread on an alternative download site for DOSBox brought up an interesting question, that is how to trust an unofficial mirror with no established reputation. The suggestion to ask the developers for their blessing before putting up such a mirror is well and good as a matter of courtesy but that alone doesn't solve the problem. Even if the developers have the time and interest to audit a fan site once for initial approval, they would also need to repeat the process on an ongoing basis to ensure that the site remains a trustworthy source for the project's files. My guess is the DOSBox developers don't want that extra work.

Another possible solution is to digitally sign files or provide official cryptographic hashes for them. That would allow users to verify the integrity of the files regardless of where they're downloaded from, be it a fan site or SourceForge should they experiment with injecting adware into project files again.

Reply 1 of 4, by Yesterplay80

Posted on 2018-10-29, 08:37

Yesterplay80 Offline

Rank Oldbie

Rank: Oldbie
Posts: 540
Joined: 2016-02-23, 11:02
Location: Germany

malicious wrote:
Another possible solution is to digitally sign files or provide official cryptographic hashes for them.

Tada! 😉

My full-featured DOSBox SVN builds for Windows & Linux: Vanilla DOSBox and DOSBox ECE (Google Drive Mirror)

Reply 2 of 4, by malicious

Posted on 2018-10-30, 00:46

malicious Offline

Rank Newbie

Rank: Newbie
Posts: 4
Joined: 2018-09-18, 17:17

Thanks, I wasn't aware SourceForge has that feature. Given their past shenanigans, however, those hashes would be more reassuring on dosbox.com.

Reply 3 of 4, by Kerr Avon

Posted on 2018-11-04, 15:02

Kerr Avon Offline

Rank Oldbie

Rank: Oldbie
Posts: 786
Joined: 2007-06-29, 14:33

Would it be possible to make the (legitimate) file, when run, check itself to make sure it's not been modified in any way, and if it has been altered then it could stop installation and say

"Warning: This file has been modified, possibly maliciously, and so installation has been aborted.

Instead, download the legitimate version from https://www.dosbox.com/"

Granted, if whoever modified the file were skilled enough, then he could alter the checksum or bypass the check altogether, so it might necessitate some sort of encryption of the checksum routines, though since we're talking about a freeware program and not a commercial game then at least it wouldn't be a target for either the "Look how clever I am" hackers, or the talented (but misguided) hackers who hack commercially games' protection systems.

Reply 4 of 4, by collector

Posted on 2018-11-04, 15:10

collector Offline

Rank l33t

Rank: l33t
Posts: 4490
Joined: 2003-01-15, 10:39

That is already part of NSIS, the install system that DOSBox uses. Of course there is nothing to prevent someone from repacking the contents into their own installer. But that would be the same possibility with any install system.

The Sierra Help Pages -- New Sierra Game Installers -- Sierra Game Patches -- New Non-Sierra Game Installers

Go to top of page Go to top of page

Back to DOSBox General

Main menu

Common searches