Checksum for install.ps1? #2737
-
|
I'd like to verify that the install.ps1 file I downloaded is not corrupt. Why can't I find a checksum of any kind for https://community.chocolatey.org/install.ps1? Seems like such a simple thing that would increase confidence. Going the other direction, I downloaded the file and calculated MD5, SHA1, and SHA256 checksums, but web searches did not find any hits. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
We do sign the Install.ps1 file, and you can verify that after download -
If the script is changed, the signature will no longer be valid/verified, showing instead a status of
Depending on how you test this, of course, there's the possibility that someone might modify the script and resign it with a valid (but different) code signing certificate. I realise that's not quite an answer to "have we published a checksum for the Install.ps1 file", but I hope it solves something of the same problem (i.e. confidence that the file has not been tampered with)? |
Beta Was this translation helpful? Give feedback.
We do sign the Install.ps1 file, and you can verify that after download -
Get-AuthenticodeSignature -PSPath $PathToFileIf the script is changed, the signature will no longer be valid/verified, showing instead a status of
HashMismatch.Depending on how you test this, of course, there's the possibility that someone might modify the script and resign it with a valid (but different) code signing certificate.
I realise that's not quite an answer to "have we published a checksum for the Install.ps1 file", but I hope it solves something of the same problem (i.e. confidence that the file has not been tampered with)?