Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Drop MD5 signatures from release artifacts; sign _all_ artifacts #5312

Open
ChristopherSchultz opened this issue Jul 26, 2022 · 0 comments
Open

[SECURITY] Drop MD5 signatures from release artifacts; sign _all_ artifacts #5312

ChristopherSchultz opened this issue Jul 26, 2022 · 0 comments
Labels
Security

Comments

@ChristopherSchultz
Copy link
Contributor

Mirth Connect releases hosted at e.g. https://mirthdownloadarchive.s3.amazonaws.com/index.html?prefix=connect/4.0.1.b293/ provide sha256 and md5 hashes. I recommend removing all the old MD5 hashes, re-computing any hashes missing from old releases and publishing them.

Also, only the CLI packages have signatures and not the server packages.

Finally, the signatures aren't linked from the downloads page; you have to go through the "Archived downloads..." link and then pick a release. Adding a link to the signatures directly to the download page will encourage people to actually use them.

Why remove the MD5 hashes? They can't be relied upon to provide adequate tamper-resistance. Their use should be actively discouraged, which is why I'm requesting that the old hashes be actively removed and replaced with modern hashes. There is no technical barrier to computing new hashes on the old artifacts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChristopherSchultz