by uckelman » January 31st, 2013, 11:03 pm
Thus spake lebigot:
> Yeah, I would think so too.
>
> I was more concerned about a possible man-in-the-middle attack whereby
> the downloaded Vassal might differ from the original one (basically
> through a fake SourceForge download page: I was not able to verify the
> identity of the SourceForge site from which I downloaded Vassal). Is
> there any way I can make sure that the downloaded file is correct
> (checksum, web site with certificate)?
Sourceforge displays the SHA1 and MD5 checksums of our files (click the
little circled 'i' icon to see them for any given file).
These are the SHA1s for the 3.2.2 files I uploaded to SF:
[uckelman@scylla releases]$ sha1sum VASSAL-3.2.2-*
a64a85b9e6ae185cd6345390d507f9065e05ddcd VASSAL-3.2.2-linux.tar.bz2
e01181793b7152d9b57d7657723ec18d2633dab4 VASSAL-3.2.2-macosx.dmg
e4ee51ada5b764df9079bc06b1d8825c5306c705 VASSAL-3.2.2-other.zip
718b2e0f3eed7013ffccfa7ccde548efe277c000 VASSAL-3.2.2-src.zip
c2683f5801cc60c653b3b7b939f98edcb30b21b0 VASSAL-3.2.2-windows.exe
They agree with the SHA1s SF displays.
The files you get when you download from SF ought to have SHA1s matching
these. If not, PLEASE lest us know immediately.
In reply to the original post: I'm quite sure your antivirus program is
being overzealous, so long as the file you downloaded has the same SHA1
as the file I uploaded.
--
J.