GNOME Bugzilla – Bug 774162
Secure installers
Last modified: 2018-06-29 23:51:54 UTC
There are SHA checksums for sources, but none for the installers. Since Sourceforge ultimately delegates downloads to unspecified unencrypted (http) mirrors, and e.g. the DMG for Mac is unsigned, there is no way to trust that the installer is legit. Solution: Add checksums for the installers to those already available for the sources. This way, at least users will be able to view them on an https Sourceforge page. One would still have to trust Sourceforge, but much better!
Because of my concerns about the binary, I decided to build from sources. After a few hours of updating OS components, installing build tools, and compiling prerequisites, I noticed `http://downloads.sourceforge.net/sourceforge/libpng/libpng-1.6.17.tar.xz`. Ouch! Building from sources seems equally insecure. I guess I've gotten spoiled because over the recent years so many code repositories that are https-only (e.g. github) have sprung up. Oh, well. I realize that this is open source, so I'll leave it with "Thanks for the free software" and simply note this security concern.
The Mac dmg isn't signed, but the app bundle within is. If you'd rather download from Github, there's https://github.com/Gnucash/gnucash/releases/download/2.6.14a/Gnucash-Intel-2.6.14-1.dmg.
The installers now have SHA256 hashes generated on the release manager's machine before upload. The hashes are in a README file on Sourceforge and in the release news on www.gnucash.org and github.com.
GnuCash bug tracking has moved to a new Bugzilla host. This bug has been copied to https://bugs.gnucash.org/show_bug.cgi?id=774162. Please update any external references or bookmarks.