Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: checksums WinSCP-5.19.2-Setup.exe do not match download

Johnx wrote:

Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.

Thanks for your suggestion. WinSCP binaries are signed by long-lasting code-signing certificate.
https://winscp.net/eng/docs/installation#verifying
Johnx

Thanks for checking @Jacob1! Yes, you're right, they match. Perhaps the hashtool I used didn't use the designated file.

Bug invalid, 2 enhancement requests left. :)
Jacob1

My hashes are as listed

I downloaded the setup package via 2 different Sourceforge mirrors just now - both downloads produced the same hash as listed on the DL page.

Thumbs up for the 2 enhancements requests.
Johnx

checksums WinSCP-5.19.2-Setup.exe do not match download

1 bug; 2 enhancement requests

Bug
The download page lists:
MD5: bc283773ee1947bd5b27a0e0a3de8525

SHA-1: 180b7d545db9d27334eafb77c99d308dda898a67
SHA-256: 402ef66d76d00bc08fbc1d92d2cfeb923e3b36452dd7958abfc6d7cd207395c5


The downloaded file has:
MD5: bacd0340266894cfcbc1b5dfe2a75a3e

SHA1: 4af648aa8de84d7405a83328dd19ea93019489c8
SHA256: 4a2ed177b820db55723433cc2770d554e20d7ecaae11bbf24cde496519874894


Enhancement req. 1:
Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.

Enhancement req. 2:
Also, you'd do good by removing reCaptcha to register or post. reCaptacha is Google, it's flawed and it only serves Google (get millions of people to work for free for Google by solving one puzzle for their AI project after another, to no end) and it's definitely not private and thus not secure. Please use a local server hosted verification method.