
I can't run your app because it is not safe.
@fulldecent You cannot because we didn't pay for being registred by Apple.
Nothing to do with the safety of our software.
And also because you didn't read our Wiki ;)
https://github.com/UniversalMediaServer/UniversalMediaServer/wiki/Mac-OS-X-issue
This does not resolve the issue, please reopen.
You do not provide any assurance that the file I download (from FOSSHUB) is the file which you have published.
SourceForge was a very respected software delivery website and then they started injecting advertisements and malware into files you download from their site. I have never heard of FOSSHUB so I don't trust them to be any better than SourceForge.
Therefore, at a minimum, please include this text:
Checksums
c9f2db9b08b0858b06aacebe2b704969e5aa3b87ca3421b3b2c801dad3f90a25 UMS-6.6.0-Java7.dmg
on this release notes:
https://github.com/UniversalMediaServer/UniversalMediaServer/releases/tag/6.5.1-Java7
Or a slightly better solution is to include the actual binary in the GitHub release at https://github.com/UniversalMediaServer/UniversalMediaServer/releases/tag/6.5.1-Java7
@SubJunk is the only one that can do that.
Adding the MD5 and SHA1 of the files to the website seem a good idea, imho, but it depend on him.
I don't know if I see the point - it's extra work that requires people to manually verify them. I'm pretty sure that extremely few actually verifies checksums unless there are some security-sensitive context. It's hard to see how UMS could be relevant in such a context, and ultimately anyone that want to be sure that the binary is genuine could just build themselves.
I'd say that as long as they make sure to download from the "official" site, there are really nothing to worry about. Even if things are checksummed or encrypted and signed with all kind of fancy mechanisms, you put your trust in whoever publishes/signs these. When software is distributed in a multitude of different ways it makes sense because a number of people can manipulate the software along the way, but in our case there is just one "official" download. Trusting the binaries that the "official" site gives are really no different than trusting a certificate or similar issued by the same people.
GitHub is the "official" site. FOSSHUB is a third party you trust and recommend. So I need to trust GitHub (I do), you (I do) and FOSSHUB (I don't). There is a trust problem here which is why I made the issue, I refuse to install the software and I refuse to recommend the software.
If you will distribute binaries on GitHub then I only need to trust GitHub (I do) and you (I do).
Clearly trust is an issue, because this project has that wiki page. I hope that GitHub binary distribution or file hashes will be a welcome improvement to the project's situation.
More background, FYI: https://www.theregister.co.uk/2015/06/03/sourceforge_to_offer_only_optin_adware_after_gimp_grump/
P.S. in the meantime can you please confirm the checksum for the file I have.
@fulldecent We used to use SourceForge and the move to FossHub was motivated exactly by the fact that SourceForge "couldn't be trusted" anymore.
As far as I know FossHub is trustworthy, as was SourceForge before they were sold to different owners.
I can't give you a checksum in any other way than to download the binary and make one. Only the one doing the actual build can generate that if it is to have any point.
That said, what SourceForge did (AFAIK) was using dodgy installers for Windows, not altering the software itself. You being a OS X user downloading a DMG image, that isn't a very relevant scenario (as there is no "installer" involved). But, the binaries used to build the DMG image could obviously hypothetically be compromised - as is always the case with binaries.
The problem with Apple's approach (and Microsoft and probably others) is that they want money to issue a "trusted" certificate. That doesn't go very well together with a free project.
I'd say that the only really safe option is the build UMS yourself. Although building for OS X is a bit of a hazzle, you can find documentation for how to do it.
In the end, @SubJunk is building the release binaries, so only he can either sign, generate checksums or add the binaries to GitHub.
I've been frustrated that Apple requires regular instalments of money in order to run apps without a warning. It's a real shame.
I upload the binaries directly to FossHub. I do see that listing the checksum on our site allows users like you to verify that the file hasn't been altered, and that's a good thing. However the build and release process is already quite time-consuming for me. I do the following for every release:
and adding more steps doesn't sound awesome... I'll think about it because I do see the benefit though.
@fulldecent you could increase the chances of this happening by providing commands to generate the checksums via Windows cmd and macOS terminal so I can put that into the build scripts
@SubJunk Thank you for sharing that list.
I can be very forgetful, and by default I love to keep that "go to list" in my CONTRIBUTING file. For example here is one such project: https://github.com/fulldecent/FDWaveformView/blob/master/CONTRIBUTING.md
@SubJunk Do checksum-maven-plugin use will not be much better/easier/universal than commands line ?
https://github.com/nicoulaj/checksum-maven-plugin
https://checksum-maven-plugin.nicoulaj.net/examples/using-custom-checksum-algorithms.html
http://checksum-maven-plugin.nicoulaj.net/plugin-info.html
http://checksum-maven-plugin.nicoulaj.net/file-mojo.html
http://checksum-maven-plugin.nicoulaj.net/usage.html
http://checksum-maven-plugin.nicoulaj.net/examples/generating-checksum-summary-files.html
https://github.com/nicoulaj/checksum-maven-plugin/blob/master/src/it/projects/single-pom/files/filesets-relative/pom.xml
In case the commands line is really a prefered choice to you:
FCIV
fciv -md5 -sha1 path\filename.ext
CertUtil is a pre-installed Windows utility that can be used to generate hash checksums:
certUtil -hashfile pathToFileToCheck [HashAlgorithm]
HashAlgorithm choices: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
CertUtil -hashfile C:\TEMP\MyDataFile.img MD5
PowerShell version 4 and up includes the Get-FileHash cmdlet.
powershell get-filehash -algorithm md5
powershell -c "(Get-FileHash -a MD5 '%systemroot%\system32\csrss.exe').Hash"
openssl sha1 <file>
openssl md5 <file>
openssl md5 -sha1 <file>
These are also possible, but less powerful:
md5 /tmp/1.iso
shasum -a 1 /tmp/1.iso
@Sami32 Because Apple is Apple, Maven can't generate a DMG (as far as I know) which means that there are manual steps required after Maven is done building. But, I guess it depends on at which level you generate the hash. My thought was to hash the DMG, but I guess you could hash the JAR..? It depends on how the users are going to do the verification.
"Because Apple is Apple, Maven can't generate a DMG (as far as I know) which means that there are manual steps required after Maven is done building."
Which Maven plugin are you using? https://github.com/federkasten/appbundle-maven-plugin says it can generate a DMG....
@esabol I've seen some possibility to generate DMG's with Java 8, but we're currently still supporting Java 7. I don't know about the plugin you link to, it doesn't say what it supports from what I can see. We're using a customized version of Oracle's AppBundler.
From a quick look at the linked plugin, I see a big problem. It requires a link to an installed JRE, that's a no-go as UMS must be possible to build on different computers using different JRE versions and implementations.
In the meantime I've uploaded our latest release to GitHub https://github.com/UniversalMediaServer/UniversalMediaServer/releases/tag/7.0.0-rc1
Ooh, v7! Thanks for this.
I'd like very much to have detached signatures for all uploaded binaries and a sums file too. I'm happy to script this if you let me know what platform you use for uploading.
That would be cool. I use Windows for it
@tcely I can also use macOS for it
Most helpful comment
@SubJunk Do
checksum-maven-pluginuse will not be much better/easier/universal than commands line ?https://github.com/nicoulaj/checksum-maven-plugin
https://checksum-maven-plugin.nicoulaj.net/examples/using-custom-checksum-algorithms.html
http://checksum-maven-plugin.nicoulaj.net/plugin-info.html
http://checksum-maven-plugin.nicoulaj.net/file-mojo.html
http://checksum-maven-plugin.nicoulaj.net/usage.html
http://checksum-maven-plugin.nicoulaj.net/examples/generating-checksum-summary-files.html
https://github.com/nicoulaj/checksum-maven-plugin/blob/master/src/it/projects/single-pom/files/filesets-relative/pom.xml
In case the commands line is really a prefered choice to you:
For Windows only: (infos take from there)
FCIV
fciv -md5 -sha1 path\filename.extCertUtil is a pre-installed Windows utility that can be used to generate hash checksums:
certUtil -hashfile pathToFileToCheck [HashAlgorithm]
HashAlgorithm choices: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
CertUtil -hashfile C:\TEMP\MyDataFile.img MD5PowerShell version 4 and up includes the Get-FileHash cmdlet.
powershell get-filehash -algorithm md5
powershell -c "(Get-FileHash -a MD5 '%systemroot%\system32\csrss.exe').Hash"For Mac OS: (infos taken from here)
openssl sha1 <file>openssl md5 <file>openssl md5 -sha1 <file>These are also possible, but less powerful:
md5 /tmp/1.iso
shasum -a 1 /tmp/1.iso