1

Normally, The Document Foundation (TDF) publishes the SHA-256 and SHA-1 hashes, along with the MD5 checksum, for all LibreOffice releases. For example, see this.

However, for their current release (v7.1.4), TDF did not publish any hashes or even a checksum (see this and this).

Besides compiling from the source code, what is the next best way to verify the authenticity of the downloads received on any (or all) of the mirrors listed in the referenced files?

(Related note: Most malware scanners actually do next to nothing when scanning MSI files, and the LibreOffice installer file is much too large to upload to VirusTotal. Not that either of those techniques validate authenticity, but at least they can reduce the risk of malware.)

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • 1
    The link you have shared has digitally signed binaries. Is hash really necessary? – saurabh Jun 11 '21 at 07:46
  • @saurabh Good question. I don't know. How can one verify the digitally signed binaries are actually signed by The Document Foundation and not someone else who created signatures using the same name, but changing a single character to a Unicode character that looks identical but technically has a different value? Also, do you know why the TDF normally posts the hashes if they are superfluous? – RockPaperLz- Mask it or Casket Jun 11 '21 at 13:38
  • @saurabh I posted this question to help answer your good question: https://security.stackexchange.com/questions/251286/if-a-file-is-digitally-signed-is-posting-a-hash-very-useful-for-security-purpos – RockPaperLz- Mask it or Casket Jun 11 '21 at 13:54
  • 1
    You can verify through PKI where their certificate chain is validated against root CA and you will check that root CA is from trusted third party like DigiCert, QuoVadis, comodo or one you can trust. But yes, there is no way to find out if their own key is compromised while you are downloading until they release statement or inform CA. CA will revoke the key and you need to keep your system updated with latest CRL. – saurabh Jun 11 '21 at 14:03
  • @saurabh Thanks. I have done that many times for web host certificates, but I'm not familiar with how to accomplish that for an individual downloaded file. Could you possibly outline the steps using LibreOffice as your example? – RockPaperLz- Mask it or Casket Jun 11 '21 at 14:10
  • 1
    Refer to this for verification steps https://www.sslsupportdesk.com/how-to-verify-a-digital-code-signing-signature-in-windows/. You can also check signtool or Get-AuthenticatedSignature command on Windows OS – saurabh Jun 11 '21 at 14:30
  • Recompiling wouldn't verify authenticity. Most probably you would get a very different binary. To get the exact same binary we need "reproducible build" process which is a hot and interesting topic. – goteguru Jun 11 '21 at 22:58
  • @goteguru Great point, and something I need to remind myself. I have programmed in assembler for years, so I'm used to every build being identical. The importance of producing reproducible builds seem to have been forgotten by many current compiler developers. Fortunately, assembler developers still understand! – RockPaperLz- Mask it or Casket Jun 12 '21 at 02:22
  • @saurabh Thank you for that link and the tools you mentioned. – RockPaperLz- Mask it or Casket Jun 12 '21 at 02:22

0 Answers0