Validating downloaded dmg file

[brettski]

I recently downloaded Affinity Designer to install and noticed it was downloaded from, d1gl0nrskhax8d.cloudfront.net, strange name, I understand it's a cdn. Though is there a way for me to validate the file to ensure it didn't come from somewhere else and it's the intended file? A hash would work.

 

Thank you,

Brett

[NotMyFault]

Hi Brett and welcome to the forum.

On Windows, use a single right-click on the downloaded file to open the "properties".

Switch to the "Digital Signatures" tab to inspect the digital certificates.

You can select the certificates and inspect the details.

[walt.farrell]

31 minutes ago, NotMyFault said:

On Windows,

As Brett mentioned a dmg file (topic  subject) it's almost certainly Mac, not Windows.

[Alfred]

I don’t know whether the SHA256 values for the Affinity apps’ DMG files are published anywhere, but if they are you can use a Terminal command to generate the SHA256 value for the downloaded file so that you can compare the two.

https://www.softwarert.com/verify-sha256-dmg-files-mac-terminal/

[brettski]

2 hours ago, Alfred said:

I don’t know whether the SHA256 values for the Affinity apps’ DMG files are published anywhere, but if they are you can use a Terminal command to generate the SHA256 value for the downloaded file so that you can compare the two.

I guess that is the question, are their regularly posted hashes for Affinity files? I have seen this question a few times with an Affinity rep listing the current version hashes. I am not sure of the difficulty of including the hashes on the download page. It would be useful add, especially since the files are not coming from a Serif-owned or controlled domain. 

 

Thank you for the feedback everyone. It's good to know there is help out there.

[DWright]

We use the Cloudfront.net service to facilitate the download of our installation files but you can verify your Affinity Designer 1.10.1 dmg download against the following hash values

SHA-256: 16c7b5ecb193e6951b43939cb92962bfa1284ddeed19c30c386a018a5071e523

SHA-1: 578470b3f5f12c8fc4e06ec9e58241540739d4c2

MD5: 32806060a0c43c78fd57a2efa8329ab4

[Alfred]

1 hour ago, DWright said:

you can verify your Affinity Designer 1.10.1 dmg download against the following hash values

 

8 hours ago, brettski said:

I have seen this question a few times with an Affinity rep listing the current version hashes. I am not sure of the difficulty of including the hashes on the download page.

Is there some difficulty that Serif’s customers are unaware of? 

 

[walt.farrell]

2 hours ago, DWright said:

We use the Cloudfront.net service to facilitate the download of our installation files but you can verify your Affinity Designer 1.10.1 dmg download against the following hash values

SHA-256: 16c7b5ecb193e6951b43939cb92962bfa1284ddeed19c30c386a018a5071e523

SHA-1: 578470b3f5f12c8fc4e06ec9e58241540739d4c2

MD5: 32806060a0c43c78fd57a2efa8329ab4

Thanks. Perhaps the FAQ could be updated more often, at least for the retail releases?

[brettski]

3 hours ago, walt.farrell said:

Thanks. Perhaps the FAQ could be updated more often, at least for the retail releases?

It would seem the most logical place is to live on the download page where you request you files. Well it's where I looked for it first anyway. 

 

6 hours ago, DWright said:

We use the Cloudfront.net service to facilitate the download of our installation files but you can verify your Affinity Designer 1.10.1 dmg download against the following hash values

Thank you for the values, it is very much appreciated! 

Though `Cloudfront.net` is a reputable company it is still a third party you can't control and may not have any idea if a file was changed within their network. Sure this is a bit "tinfoil hat", but stranger things have happened.

 

 

Edited October 21, 2021 by brettski
More information

[walt.farrell]

1 hour ago, brettski said:

It would seem the most logical place is to live on the download page where you request you files. Well it's where I looked for it first anyway. 

I would rather have it somewhere else. If someone hacks the download page to point to a malicious file they can also replace the hash if it's on the same page.

[brettski]

1 hour ago, walt.farrell said:

I would rather have it somewhere else. If someone hacks the download page to point to a malicious file they can also replace the hash if it's on the same page.

I can't argue with that logic. Though at that point, any site page wouldn't be good...

Edited October 21, 2021 by brettski

[walt.farrell]

2 minutes ago, brettski said:

I can't argue with that logic. Though at that point, any site page wouldn't be good...

That depends on what you mean by the "download page". For example, if the hash and the download link were both on https://store.serif.com/en-us/update/windows/photo/1/ then yes, having both on the same page means that anyone hacking that page can replace both.

However, if the hashes are kept in the FAQ, at https://forum.affinity.serif.com/index.php?/topic/123411-file-hash-information-to-verify-downloaded-affinity-apps/ then it's in some ways two different sites, and the hacker might need to find two different exploits.

 

[Alfred]

5 minutes ago, walt.farrell said:

the hashes are kept in the FAQ, at https://forum.affinity.serif.com/index.php?/topic/123411-file-hash-information-to-verify-downloaded-affinity-apps/

Good find, Walt! All we need is for that thread (or another one like it) to be updated with similar info for the latest versions.

[brettski]

That would certainly work for me. I wonder if it is complicated for the Sarif team to update that with releases?

[R C-R]

On 10/21/2021 at 10:41 AM, walt.farrell said:

If someone hacks the download page to point to a malicious file they can also replace the hash if it's on the same page.

What specifically do you mean by the download page? As I understand it, if the app came from the Mac or Windows Store, there isn't a separate web page for each app, so I guess you are talking about an Affinity Store page, or do I have that wrong?

[walt.farrell]

27 minutes ago, R C-R said:

What specifically do you mean by the download page? As I understand it, if the app came from the Mac or Windows Store, there isn't a separate web page for each app, so I guess you are talking about an Affinity Store page, or do I have that wrong?

Do you get a DMG file if you're using the Mac or Windows Store? Do you have any doubt that you're downloading from the right site, or even any choice in the matter, if you use the Mac or Windows Store?

[R C-R]

47 minutes ago, walt.farrell said:

Do you get a DMG file if you're using the Mac or Windows Store?

I don't know about how it works for the Windows Store but there is no DMG for the Mac Store -- you get a button to install the update (if auto-update apps is not enabled in the MAS preferences). If you click it, the app is automatically downloaded & installed directly on the Mac. There is no separate file.

[brettski]

On 10/22/2021 at 11:57 AM, R C-R said:

What specifically do you mean by the download page?

I purchased Affinity Designer and Photo for Mac Desktop through Serif, not the Apple app store. So to get the application it needs to be downloaded from Serif. @R C-R you are correct, if I had purchased through the Apple store this would be a non-issue as the application would be delivered through Apple. 

[R C-R]

1 hour ago, brettski said:

I purchased Affinity Designer and Photo for Mac Desktop through Serif, not the Apple app store. So to get the application it needs to be downloaded from Serif.

So if you go to the Affinity Store site to get the download, the first thing you have to do is sign in. To do that, you have to supply your account name & password. From a security standpoint, this means you need to make sure you are at the real Affinity Store site before you do that.

If you can do that, then you can compare the purchase date & other info shown with any records you have kept of that info. If it all matches up, the download should be OK, but I still can see the need for the hashes to be doubly sure it has not been compromised.

[brettski]

46 minutes ago, R C-R said:

If it all matches up, the download should be OK, but I still can see the need for the hashes to be doubly sure it has not been compromised.

Not doubly sure, but to be sure. As I stated in the first post here, the file is delivered from a third party not controlled by Serif. Is the chance there is an issue small (really small), sure, but as I sit here with my tinfoil hat on, I like to verify files.

 

[R C-R]

2 hours ago, brettski said:

Not doubly sure, but to be sure. As I stated in the first post here, the file is delivered from a third party not controlled by Serif. Is the chance there is an issue small (really small), sure, but as I sit here with my tinfoil hat on, I like to verify files.

Keep in mind that downloads are almost never delivered directly from the site you are on, nor is much if any of the page content. As already mentioned, this means any hash you can get from a site may be bogus.

[brettski]

We're all doomed!