RSS installer downloads with signed hash

Royce Souther April 17, 2020

We are using the Atlassian RSS feed to download the latest Atlassian products, it works very well, thank you to the Atlassian team.

I would very much like to verify the download integrity of the binaries with a hash that is signed by Atlassian using a known Atlassian public key.

I am not finding any information about this existing.

Is this something Atlassian is doing? 

 

1 answer

1 vote
JimmyVanAU
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 17, 2020

Hi Royce,

Unfortunately, Atlassian don't provide this at the moment. There is an outstanding JAC (BSERV-2480), so please add your vote.

The extremely ironic thing is that an md5 checksum is available for other major products. You simply append ".md5" to the URL of your download, e.g. if the installer is:

wget https://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-software-8.8.0-x64.exe

then

wget https://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-software-8.8.0-x64.exe.md5

will get you the md5 checksum.

I just tried it for Bitbucket server and it returns 403.

Royce Souther April 17, 2020

A hash is very different from a signed hash. The act of signing a hash with a private key allows the public key to be used verify the authenticity of the hash, then, and only then can the hash be trusted.

A malicious actor that is capable of replacing the binary, or intercepting it, could also easily replace the hash. By signing the hash it greatly increases the level trust in the download.

How Do Digital Signatures Work  

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events