[Interest] sha256 checksums for Qt downloads

Jérôme Pinguet jerome at jerome.cc
Thu Feb 19 16:25:19 CET 2015


On 19/02/2015 16:05, Bo Thorsen wrote:
> On 02/19/2015 02:36 PM, Jérôme Pinguet wrote:
>> Hello!
>>
>> Would it be possible to add sha256 (and/or sha512) checksums to the Qt
>> 4.8.6 download page [1]?
>>
>> md5 checksums are easily forged in a few days with a couple of GPUs. In
>> a post-Snowden era, to avoid security issues with downloads on a page
>> that is not https by default, using sha2 (sha256 for instance) is necessary.
>>
>> Other security enhancements suggested:
>>
>> * make https default for download pages
>> * sign checksums files (md5sums-4.8.6 and the future sha256sums-4.8.6)
>> file with a well known Qt developper's GPG key
>>
>> Thank you for helping all of us improve security and fight malware
>> through the use of up-to-date and secure hashing algorithms! :-)
>>
>> [1] http://download.qt.io/archive/qt/4.8/4.8.6/
> There's a very clear rule in 4.8: No new features are allowed. It's 
> pretty much only security fixes that will find it's way to this. Perhaps 
> some bug fixes as well.
>
> So no, you won't get this for a 4.8 based application.
>
> Your options are to upgrade Qt to 5.x (which you probably chose not to 
> for some reason) or to implement it yourself.
>
> If you need this for a 4.8 based application, you can just create your 
> own Qt patch and build Qt yourself with it. It shouldn't be difficult to 
> port the code from the 5.x sources to 4.8.
>
> Bo Thorsen,
> Director, Viking Software.
>
Hello Bo!

Thanks for your answer. You didn't understand my request. There is
absolutely no change in the Qt 4.8.6 source code needed. :-)

It's about the integrity of files (binaries and source code bundled in
archive files) on the Qt website.

Here is the problem: someone could modify the files (introduce a
backdoor in Qt binaries for instance) and those modified files would
still verify well with md5. Then it's not that difficult (particularly
with http) to do a man in the middle attack and someone trying to
download Qt binaries would in fact download a thir party binary with
malware, trojans or backdoors included.
Up to this day, as long as the cryptographic community is aware, doing
the same with sha2 checksums is impossible .

Someone with access to the qt.io website can modify the checksum file to
add sha2 checksums.

A developer can do this and sign the new checksum file.

Bye

jerome

PS All aforementioned is unfortunately also true for all Qt5 files. No
https by default for downloads, no sha2 checksums, no OpenPGP
signatures... afaik it's a huge and easily exploitable security lapse. :-(



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20150219/7d427c8a/attachment.sig>


More information about the Interest mailing list