Where can I find Sailfish OS hash sums?
How should I verify correctness of downloaded images?
I decided to post hashes here. Please let us know in this thread if your hash is different.
Sailfish_OS-Jolla-4.3.0.15-h4113-0.0.9.9.zip c42b4f3b6459688f8f0b5c62b1da0f3381f1f751085ef5221d361e8b3d5b721d
Sailfish_OS-Jolla-4.3.0.15-h4413-0.0.9.10.zip ddfa8aa73a6c72eb20218f0555b1842d32ba265ee6427591ccb004bdd5acb706
There is an md5.lst contained within the zip which can be used for verification of the archive contents.
Thanks for pointing out @emva but that is incorrect from security perspective.
As checksum should be provided by server that is different from the one providing image. In order to prevent hacking of single server and modifying the image.
Also checksum should be public to prevent âorganizationâ from providing modified image to specific users.
So md5 inside zip file is useless.
Although I agree that the checksums should be available from the server providing the images, there is nothing keeping a server admin from dynamically generating new packages and checksums for specific requests. An audit âmightâ find it, but if users arenât VERY vigilant (for instance check the same sources from multiple IP addresses), itâs possible to slip users a mickey.