[cmake-developers] malware?

James Johnston JamesJ at motionview3d.com
Fri Jul 24 12:24:43 EDT 2015 

> -----Original Message-----
> From: cmake-developers [mailto:cmake-developers-bounces at cmake.org]
> On 24/07/15 07:04, David Powell wrote:
> > hi
> >
> > I downloaded cmake an hour ago from cmake.org <http://cmake.org/> and
> found myself with an unwanted piece of software called "advanced mac
> cleaner", an app that was hard to get rid of. I'm not certain it came from
your
> site but it happened at the same time and I can't think of any other
> explanation..  The download file from cmake.org <http://cmake.org/>
> (supposedly the latest stable dmg for mac) was much bigger (30MB) than the
> cmake file I subsequently downloaded from github.
> >
> >
> >
> 
> I don't know about that, but I just noticed that cmake.org allows HTTP
> (non-HTTPS) downloads.
> 
> HTTP has no form of cryptographic authentication or verification, and it's
> incredibly easy for a MitM to attach malware to your downloads.
> 
> IMO, the HTTP downloads should be removed ASAP.

Two other ideas that don't require HTTPS hosting of large binary files:

 * On Windows, cryptographically sign the setup program using Authenticode.
When the UAC prompts for elevation, Windows will show it signed by "Kitware"
instead of a yellow warning "Unknown".  Probably the other operating systems
have a first-class way of doing something like this as well.  Downside:
certificates cost some modest amount of money to renew every year.

 * Post SHA-1 hashes of the EXEs/DMGs/tarballs on the CMake web site, and
post them over HTTPS.  But downside here is that many users won't bother to
check this (e.g. Windows has no well-known in-built utility for calculating
a file hash).

I agree the current situation of unsigned files available over HTTP only is
not really ideal.  Perhaps this would be a good opportunity for looking at
enhancements to CMake itself in the area of code signing (e.g. code signing
of individual target EXEs/DLLs, and code signing of the final setup EXE
package by CPack) that hides the various operating-system-specific ways of
doing this?  Then, CMake itself can be modified to be built with these new
features, if available.  A quick Google search of cmake.org for code signing
didn't yield much in the way of previous discussion or existing features...

Best regards,

James Johnston

More information about the cmake-developers mailing list