Stop! Tickets are now managed at GitHub.

Please enter new tickets, and find and edit existing tickets there:


Ticket #184 (new defect)

Opened 3 years ago

Last modified 16 months ago

Security issue in installing Haskell platform in MS Windows - Installer not digitally signed

Reported by: gsngh Owned by: refold
Priority: major Milestone: Blue Sky
Component: Windows installer Keywords: security vulnerability installer digital signature
Cc: anogin@…

Description

The Haskell platform installer for Microsoft Windows should be digitally signed using a certificate from a reputed certificate organization (Verisign, entrust etc.) The mozilla firefox is signed this way. Any software distributed through internet is signed this way to avoid modification by replacement by an intermediary.

If it is not possible to sign the platform installer then publish the md5 checksum along with the link to download platform installer. (However, windows users are slightly less used to this approach.)

Change History

follow-up: ↓ 3   Changed 3 years ago by refold

  • milestone set to Blue Sky

I'm not sure about the digital signature, but it should be possible to provide an MD5 checksum.

  Changed 3 years ago by gsngh

Dear refold,

Thanks for offering the help. As a favour, can you please let me know the MD5 checksum of HaskellPlatform?-2011.2.0.1-setup.exe - Please add this information to this ticket.

Please also publish the checksum on the website where you place the installer link. You might be already knowing, however that, publishing the checksum on a webpage is not a guaranteed solution unless the publishing web page is itself digitally signed. This means that that is to be read using the https not http protocol which allows the reader to be sure of what is being read from the Internet is indeed what was published and not modified in between.

Regards.

in reply to: ↑ 1   Changed 3 years ago by gsngh

Replying to refold:

I'm not sure about the digital signature, but it should be possible to provide an MD5 checksum.

I would be grateful if you could please reply to this post on the ticket with the MD5 checksum of the file "HaskellPlatform?-2011.2.0.1-setup.exe"

Thanks and Regards.

  Changed 3 years ago by refold

Sorry for the delay. Here it is:

0a35b4245ecb4ba4c5af8183e53b8beb HaskellPlatform?-2011.2.0.1-setup.exe

  Changed 23 months ago by refold

Note to self: provide an MD5 sig when releasing an installer.

  Changed 16 months ago by anogin

  • cc anogin@… added
Note: See TracTickets for help on using tickets.