[openssl-users] Checksum for openssl-1.0.2p download

Chris Outwin coutwin at newstuff.com
Wed Sep 12 20:56:49 UTC 2018 

Thank you very much for your helpful reply.  

I’m a graphics programmer with no experience in PGP.  The shell script I have calls:   OPENSSL_ARCHIVE_URL="https://www.openssl.org/source/old/${BRANCH}/${OPENSSL_ARCHIVE_FILE_NAME}” in the process of downloading OpenSSL for use in building an iOS static implementation.  Does https have a reasonable level of security?  I believe I can include a block of code in the script to do a checksum.

> On Sep 12, 2018, at 1:42 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
> 
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Matt Caswell
>> Sent: Wednesday, September 12, 2018 14:29
>> 
>> On 12/09/18 19:24, Chris Outwin wrote:
>>> I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for
>> receipt validation in an iOS application.
>>> 
>>> Is there a list of checksums to verify openssl download versions?
>> 
>> Next to each download on the website there are links for SHA256/PGP/SHA1
>> checksums.
>> 
>> https://www.openssl.org/source/
> 
> I'd strongly recommend verifying the PGP (OpenPGP, gpg) signature on the tarball. The signature files are right there alongside the tarballs.
> 
> If you're new to gpg (or whatever OpenPGP implementation of your choice), there's a bit of learning and setup to do: you'll need to fetch the appropriate key from a public keyserver or other trustworthy (-ish) source to fully verify the signature, and you'll probably want to mark the key as trusted so the output from gpg is clear.
> 
> But once you've done that, it's very easy to verify the signature, and to automate the process if you prefer. And the signatures add a bit of defense-in-depth because publishing a tampered-with tarball would require subverting the private key as well as to the OpenSSL web server.  (If you're just checking the SHA256 hash, an attacker could either get access to the OpenSSL web server, or force you to a counterfeit server, for example via DNS cache poisoning. And due to the systemic brokenness of the web PKI, it's pretty easy to fool a lot of people with a counterfeit server.)
> 
> So do the work now to set yourself up for verifying the signature, and inculcate a good habit.
> 
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list