We are using the Atlassian RSS feed to download the latest Atlassian products, it works very well, thank you to the Atlassian team.
I would very much like to verify the download integrity of the binaries with a hash that is signed by Atlassian using a known Atlassian public key.
I am not finding any information about this existing.
Is this something Atlassian is doing?
Unfortunately, Atlassian don't provide this at the moment. There is an outstanding JAC (BSERV-2480), so please add your vote.
The extremely ironic thing is that an md5 checksum is available for other major products. You simply append ".md5" to the URL of your download, e.g. if the installer is:
will get you the md5 checksum.
I just tried it for Bitbucket server and it returns 403.
A hash is very different from a signed hash. The act of signing a hash with a private key allows the public key to be used verify the authenticity of the hash, then, and only then can the hash be trusted.
A malicious actor that is capable of replacing the binary, or intercepting it, could also easily replace the hash. By signing the hash it greatly increases the level trust in the download.
Hi everyone, We are looking to learn more about development teams’ workflows and pain points, especially around DevOps, integrations, administration, scale, security, and the related challeng...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events