[messages] [Technical Support & Bugs] Trojan horse detected in Vassal 3.2.2
uckelman at nomic.net
Thu Jan 31 16:03:24 MST 2013
Thus spake lebigot:
> Yeah, I would think so too.
> I was more concerned about a possible man-in-the-middle attack whereby
> the downloaded Vassal might differ from the original one (basically
> through a fake SourceForge download page: I was not able to verify the
> identity of the SourceForge site from which I downloaded Vassal). Is
> there any way I can make sure that the downloaded file is correct
> (checksum, web site with certificate)?
Sourceforge displays the SHA1 and MD5 checksums of our files (click the
little circled 'i' icon to see them for any given file).
These are the SHA1s for the 3.2.2 files I uploaded to SF:
[uckelman at scylla releases]$ sha1sum VASSAL-3.2.2-*
They agree with the SHA1s SF displays.
The files you get when you download from SF ought to have SHA1s matching
these. If not, PLEASE lest us know immediately.
In reply to the original post: I'm quite sure your antivirus program is
being overzealous, so long as the file you downloaded has the same SHA1
as the file I uploaded.
More information about the messages