Question / Help Hash Sha MD5 requirement for IS department before installing
- Thread starter jsheldon
- Start date
koala
Active Member
You can create the checksums yourself: https://winaero.com/blog/add-file-hash-context-menu-windows-10/
Verifying the digital signature is by far the best way to verify authenticity of the software. If the download has been compromised, that means someone would need access to our web server, at which point they could also update the published checksums to match the compromised file. Only Jim, using an offline hardware token, can sign the installer .exe. Downloads over HTTPS are cryptographically guaranteed not to be corrupted in transit, so the checksums are also unnecessary for detecting corruption from network effects.
koala
Active Member
I have some experience with boneheaded IT departments who insist on obsolete and proven insecure processes. Some time you just have to abandon common sense and best practice. Instead just make everything to provide what they require. Regardless of sense or not. They have their process, and you have to follow this. It was best practice 20 years ago, so they will do this until eternity. So if you cannot get an md5 sum, but they insist and you cannot make them accept a digital signature, make the md5 sum yourself! Since md5 sums are not secure any more, you are not making that process more insecure as it already is.
Better would be of course if you are able to make them recognizing and checking digital signatures, because this is best practice today.
Better would be of course if you are able to make them recognizing and checking digital signatures, because this is best practice today.