[cmake-developers] malware?
James Johnston
JamesJ at motionview3d.com
Fri Jul 24 12:24:43 EDT 2015
> -----Original Message-----
> From: cmake-developers [mailto:cmake-developers-bounces at cmake.org]
> On 24/07/15 07:04, David Powell wrote:
> > hi
> >
> > I downloaded cmake an hour ago from cmake.org <http://cmake.org/> and
> found myself with an unwanted piece of software called "advanced mac
> cleaner", an app that was hard to get rid of. I'm not certain it came from
your
> site but it happened at the same time and I can't think of any other
> explanation.. The download file from cmake.org <http://cmake.org/>
> (supposedly the latest stable dmg for mac) was much bigger (30MB) than the
> cmake file I subsequently downloaded from github.
> >
> >
> >
>
> I don't know about that, but I just noticed that cmake.org allows HTTP
> (non-HTTPS) downloads.
>
> HTTP has no form of cryptographic authentication or verification, and it's
> incredibly easy for a MitM to attach malware to your downloads.
>
> IMO, the HTTP downloads should be removed ASAP.
Two other ideas that don't require HTTPS hosting of large binary files:
* On Windows, cryptographically sign the setup program using Authenticode.
When the UAC prompts for elevation, Windows will show it signed by "Kitware"
instead of a yellow warning "Unknown". Probably the other operating systems
have a first-class way of doing something like this as well. Downside:
certificates cost some modest amount of money to renew every year.
* Post SHA-1 hashes of the EXEs/DMGs/tarballs on the CMake web site, and
post them over HTTPS. But downside here is that many users won't bother to
check this (e.g. Windows has no well-known in-built utility for calculating
a file hash).
I agree the current situation of unsigned files available over HTTP only is
not really ideal. Perhaps this would be a good opportunity for looking at
enhancements to CMake itself in the area of code signing (e.g. code signing
of individual target EXEs/DLLs, and code signing of the final setup EXE
package by CPack) that hides the various operating-system-specific ways of
doing this? Then, CMake itself can be modified to be built with these new
features, if available. A quick Google search of cmake.org for code signing
didn't yield much in the way of previous discussion or existing features...
Best regards,
James Johnston
More information about the cmake-developers
mailing list