Add files containing SHA256 checksums of the builds at https://josm.openstreetmap.de/download/

[dick@…]

Would it be possible to add a file (per build) which contains the SHA256 checksum of the build?

Something like:

josm-snapshot-19265.jar.sha256 containing e87a09a161fd4ec8392e400b95af0d1c67df5b29abd36560646dd91b9041b857

This would allow getting the build from another location (like a mirror) and ensure it's as distributed by josm.openstreetmap.de by only downloading the sha256 file.

[stoecker]

The build files are signed. Simply verify the signature.

[anonymous]

Thanks! I didn't consider that.

I did some testing with jarsigner although it can validate the contents of the jar file it doesn't actually check the jar file (if it has been tampered with).

For example if I append some random data to the end of the jar file using "date >> josm-snapshot-19265.jar" jarsigner isn't able to detect this.

I'm not sure how harmful this is, I do get warnings if I actually add random files to the jar file.

My preference would be that I could just validate the checksum of the jar file.

If you don't agree, feel free to close this issue again.

[stoecker]

If you add entries to the jar, they will be unsigned and jarsigner should tell you. If you add something at the end of the zip file that will not have any effect. I agree that the jar signing method is a bit strange and does not protect again modifications of the enclosing zip/jar file (only of the contents inside), but it is the way java designed this and I don't plan to add another verification method.

If you don't trust that, only use josm.openstreetmap.de as download site. We link all the certificates at the WikiStart page (also the changing Let'sEncrypt certificate). Note the private part of the website Let'sEncrypt certificate stays constant, so that's easy to verify, even when the public key changes.