Quote:
Originally Posted by Andrew S.
@BetterRed Thanks for that link. I had done some searches, but none surfaced that thread. I tried permutations including keywords which appeared in the body of that thread... oh well.
So the issue is SHA256 and some platforms' lack of support, e.g. Vista. Fair enough.
What mechanisms are used to assure the validity of the distributed software on other platforms?
Officially published hashes or detached signatures (e.g. gnupg) would provide a multiplatform means of validating untampered distributions.
|
The downloads are served over HTTPS directly from the calibre website.
Windows validation works fine on post-Vista OSes, as said above.
Apple has their standard code-signing thing.
And on linux, the hashes for the binary tarball are downloaded (also over HTTPS, since forever via an embedded private cacert) with the tarball and checked before the installation.
Alternatively, you can always build from source on linux (or rely on your distro's out-of-date version).
The git tags are signed by @Kovid's GPG key.
(Hmm, I wouldn't mind if the release tarballs were also signed -- always a good thing and even more so before the relatively recent HTTPS downloads courtesy of LetsEncrypt.)