We are using the Atlassian RSS feed to download the latest Atlassian products, it works very well, thank you to the Atlassian team.
I would very much like to verify the download integrity of the binaries with a hash that is signed by Atlassian using a known Atlassian public key.
I am not finding any information about this existing.
Is this something Atlassian is doing?
Hi Royce,
Unfortunately, Atlassian don't provide this at the moment. There is an outstanding JAC (BSERV-2480), so please add your vote.
The extremely ironic thing is that an md5 checksum is available for other major products. You simply append ".md5" to the URL of your download, e.g. if the installer is:
wget https://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-software-8.8.0-x64.exe
then
wget https://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-software-8.8.0-x64.exe.md5
will get you the md5 checksum.
I just tried it for Bitbucket server and it returns 403.
A hash is very different from a signed hash. The act of signing a hash with a private key allows the public key to be used verify the authenticity of the hash, then, and only then can the hash be trusted.
A malicious actor that is capable of replacing the binary, or intercepting it, could also easily replace the hash. By signing the hash it greatly increases the level trust in the download.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.