Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Introducing SHA-256 Checksum Verification for DC Installers

Hello Data Center Community!

In our ongoing mission to offer the most secure products to our customers, we're excited to announce the introduction of SHA-256 checksum files for all our Data Center installers. Checksum files are available on the product download centers:

2024-05-08_13-12-09.png

Why SHA-256 Checksum Verification matters and how does it enhance security?

SHA-256 is a cryptographic hash function that produces a unique 256-bit (32-byte) signature for a text. When you download a file, especially a large or essential one such as our Data Center installer, it's possible that the file might get corrupted or tampered with during the download process. The SHA-256 checksum file allows you to verify the integrity of the downloaded file and ensure that it hasn't been modified from its original version.

Here's an example of what a SHA-256 file looks like:

6be91a483d2cf261d2b44050521335be4e0b76d787d0ad3529166c4c36a2ace5 atlassian-jira-software-9.4.21.tar.gz

In this case, the long string of numbers and letters is the SHA-256 checksum, a unique identifier for the specific version of the file. When you download the file, you can generate your own SHA-256 checksum and compare it to the original one we’ve provided. If they match, it means your file is intact and hasn't been tampered with.

Other benefits of checksums:

  • Integrity checks are mandatory or advisable under various regulations, such as the Secure Software Development Framework (SSDF), Federal Information Security Management Act (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA).

  • Checksums enhance installation safety by ensuring the installation process is secure and that Data Center products are installed correctly and free from tampering.

  • Installer checksums can prevent installation errors and ensure that products function correctly, minimizing downtime and lost productivity risks.

How to Perform SHA-256 Checksum Verifications on Windows, Linux, and MacOS?

Windows:

  1. Download the file and the corresponding SHA256 file from our website.

  2. Open PowerShell from the Start menu.

  3. Navigate to the directory where the downloaded files are stored.

  4. Enter the following command: Get-FileHash -Algorithm SHA256 -Path .\<filename>

  5. Compare the output with the provided SHA-256 checksum. If they match, your download is successful and secure.

Linux/MacOS:

  1. Download the file and the corresponding SHA256 file from our website.

  2. Open a terminal.

  3. Navigate to the directory where the downloaded files are stored.

  4. Enter the following command: sha256sum <filename> for Linux or shasum -a 256 <filename> for MacOS.

  5. Compare the output with the provided SHA-256 checksum. If they match, your download is successful and secure.

As always, your feedback is invaluable to us. If you have any questions, suggestions, or require further clarification about this new feature, please don't hesitate to comment below.

Remember, while SHA-256 checksum verification is a powerful tool for ensuring the integrity of your downloaded files, it should be used alongside other security measures. We recommend maintaining secure network connections, using up-to-date antivirus software, and performing regular system updates to maximize your data protection and system security. Check also our security recommendations and best practices we’ve gathered for you. 

Data Center Team

1 comment

Comment

Log in or Sign up to comment
Tim Eddelbüttel
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 2, 2024

Hi @Tomasz Prus,

there are various release feeds avaialble. Specially Crowd (https://my.atlassian.com/download/feeds/current/crowd.json

https://my.atlassian.com/download/feeds/archived/crowd.json) the hashes also after this announcement are still missing. Would be great to have them as well in the feeds. 
Jira & Confluence are fine (e.g. https://my.atlassian.com/download/feeds/eap/confluence.json) as the MD5 hash is already included.
A little feedback on the UI interaction. Why is the hash itself hidden behind a file (instead of plain text) that can only be downloaded after accepting the terms itself?
Kind Regards,
Tim
TAGS
AUG Leaders

Atlassian Community Events