>BTW: How do you verify that the hash sum is the correct one?
>If you just download the file from somewhere in the internet and take that hash sum to verify the >same file, it's not of much use, from a security point of view. It just proofs that it is the very >same file again, but not, that it is the original file. Smells a little bit like snakeoil security.
I take the hashes from the https secured upstream download repository, and verify them with md5 sha256 after downloading in https the ext-pack itself.
the hash validated by me, is then hard-coded in the postinst file, and signed with my personal GPG key, so it is not tamperable anymore.
you can see hashes by yourself if you want. https://download.virtualbox.org/virtualbox/5.2.10
>BTW: How do you verify that the hash sum is the correct one?
>If you just download the file from somewhere in the internet and take that hash sum to verify the >same file, it's not of much use, from a security point of view. It just proofs that it is the very >same file again, but not, that it is the original file. Smells a little bit like snakeoil security.
I take the hashes from the https secured upstream download repository, and verify them with md5 sha256 after downloading in https the ext-pack itself.
the hash validated by me, is then hard-coded in the postinst file, and signed with my personal GPG key, so it is not tamperable anymore. /download. virtualbox. org/virtualbox/ 5.2.10
you can see hashes by yourself if you want.
https:/
G.