Checksum to verify download integrity?

LabANaut
I have searched both the discussion forums and the site (using google) to see if there are checksums (md5sum or sha256sum) to enable me to verify the integrity of the tarball prior to installation.

If these do not exist would it be possible to publish them please within the installation instructions for Linux? [1]. If they do exist, then apologies for missing them.

1. https://www.zotero.org/support/installation
  • dstillman
    Checksums are useful if you're downloading software via HTTP or from an untrusted mirror. If you're downloading from a trusted site via HTTPS, there's not really much benefit — if someone could modify the binaries (or, in the case of a PKI failure, serve you a different binary), there's a good chance they could modify the hashes too. While those would be in separate locations with separate access permissions, you basically have to trust us to protect our own infrastructure either way, since anything we could set up to post hashes to the website at build time we can do ourselves to monitor changes without people needing to verify hashes manually. Needless to say, we keep access to the deployment pipeline extremely locked down and monitor all changes.

    And the same goes for updates, which Zotero downloads via HTTPS from zotero.org subdomains.

    (On macOS and Windows the executables are also signed, but Linux doesn't support that, and in any case it doesn't provide much additional security as long as you know you're getting the file from zotero.org.)
  • LabANaut
    Hi Distillman. Thanks for the response. You make good points about the relative weakness of hashes for avoiding MiTM security problems. I agree.

    But I am thinking of something a bit different:
    1) Making sure that there is no horrible corruption introduced during the download which might result in a semi-functional binary that does something horrible
    2) Making it easy to see which version I have installed. I have had different versions simultaneously present. At present I simply execute "zotero" and if I knew the hash/fingerpint I could know for sure which one that was.
  • dstillman
    1) Making sure that there is no horrible corruption introduced during the download which might result in a semi-functional binary that does something horrible
    TLS guarantees message integrity, so this isn't an issue. (And even if it didn't, gzip includes an internal checksum.)
    2) Making it easy to see which version I have installed.
    A checksum of the tarball wouldn't help with this, and the tarball already has the version in the filename.
  • LabANaut
    ps. I realize I can "zotero -version" when starting it up. But if it is already running then short of stopping it, which I could do, then there is no indication unless I explicitly name the binaries or the directory structure I install them in. I suppose I should make a simple rpm and systemd unit for that.
  • dstillman
    I mean, you can just view the version in Zotero, of course. Anyway, as I say, a checksum wouldn't help with this.
  • LabANaut
    Ah... did not think of viewing version in zotero itself or gzip checksum. Consider me reassured.

    You have been very patient and helpful. Thank you.
Sign In or Register to comment.