Similar to downloads from the duplicacy website, are there checksums available for downloads from the GitHub repo to verify integrity?
btw: I do own a license for the GUI version of duplicacy, but I’m downloading the commandline version from Github so I can backup data on a faceless ProxMox virtualisation host.
Am I wrong to think that integrity checksums should be supplied by GitHub repos? Or are checksums pointless? If so, why are they supplied for the non-commandline versions of duplicacy at the paid site?
I’m trying to follow best practice by not blindly installing software without some type of verification of authenticity. I’m accustomed to seeing checksums published in Github repos along with their corresponding binaries.
HTTPS already guarantees transport integrity and server identity. Then you have a decompressor checks as an extra sanity test.
Publishing sha hashes on the same server does not provide any additional benefit, unless you also want authentication, for which you still need side channel to deliver public keys. It also definitely does not protect against malice (malicious file with matching signature, if GitHub account is compromised)
So yes, messing with checksums is mostly ceremonial in this context.
1 Like