Opened 10 years ago
Closed 8 years ago
#12853 closed defect (obsolete)
no automatic validation of extension packs
| Reported by: | hugh2 | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox 4.3.8 |
| Keywords: | security | Cc: | |
| Guest type: | all | Host type: | all |
Description
Ideally the extension packs would be digitally signed like the main installer binary, with the signature checked by the main program when downloading a new extpack. (it wouldn't enforce a signature for a local file - you might want to write your own extpack)
If that is too hard it would at least be a big improvement to download them via https instead of http. At present download.virtualbox.org doesn't support https, and if you put https in front of dlc.sun.com.edgesuite.net it gives a certificate error.
Currently if you want to validate an extension pack you have to
- cancel the dialog that asks to update the extension pack
- open a web browser
- hunt around for the latest extpack (unless you can copy the URL from the dialog?)
- download it by http
- locate a hashing tool
- calculate the extpack's hash
- manually compare hash with that published on the website
- finally, if satisfied, manually install the extpack
Change History (2)
comment:1 by , 10 years ago
comment:2 by , 8 years ago
| Resolution: | → obsolete |
|---|---|
| Status: | new → closed |
Please reopen if still relevant with a recent VirtualBox release.
Note:
See TracTickets
for help on using tickets.
This is definitely a problem. Unfortunately the download server is currently not capable of providing the https protocol (work is going on to fix that). And yes, checking a package signature would be another option but is also not trivial, especially to get this working for all 4 supported hosts. I hope that the download server will be fixed during the next few months.