[messages] [Technical Support & Bugs] Trojan horse detected in Vassal 3.2.2

Joel Uckelman uckelman at nomic.net
Thu Jan 31 16:03:24 MST 2013

Thus spake lebigot:
> Yeah, I would think so too.
> I was more concerned about a possible man-in-the-middle attack whereby
> the downloaded Vassal might differ from the original one (basically
> through a fake SourceForge download page: I was not able to verify the
> identity of the SourceForge site from which I downloaded Vassal). Is
> there any way I can make sure that the downloaded file is correct
> (checksum, web site with certificate)?

Sourceforge displays the SHA1 and MD5 checksums of our files (click the
little circled 'i' icon to see them for any given file).

These are the SHA1s for the 3.2.2 files I uploaded to SF:

[uckelman at scylla releases]$ sha1sum VASSAL-3.2.2-*
a64a85b9e6ae185cd6345390d507f9065e05ddcd  VASSAL-3.2.2-linux.tar.bz2
e01181793b7152d9b57d7657723ec18d2633dab4  VASSAL-3.2.2-macosx.dmg
e4ee51ada5b764df9079bc06b1d8825c5306c705  VASSAL-3.2.2-other.zip
718b2e0f3eed7013ffccfa7ccde548efe277c000  VASSAL-3.2.2-src.zip
c2683f5801cc60c653b3b7b939f98edcb30b21b0  VASSAL-3.2.2-windows.exe

They agree with the SHA1s SF displays.

The files you get when you download from SF ought to have SHA1s matching
these. If not, PLEASE lest us know immediately.

In reply to the original post: I'm quite sure your antivirus program is
being overzealous, so long as the file you downloaded has the same SHA1
as the file I uploaded.

More information about the messages mailing list