Can someone tell me why the sha256sum hash of phplist-3.6.14.zip just suddenly changed from 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a to 938e9bdb64d8c042a04192e1fca42814d906e715ec9c2726756425a1be7e0791?
Because phpList still doesn’t sign its releases, users (like me!) do not have a way to authenticate the releases that we download before installing them on our servers.
My harm-reduction approach to minimize the risk of downloading something malicious when upstream doesn’t sign their releases is to follow a process of 3TOFU:
- On day #1, I download the release in TAILS (over Tor) and write down the checksum
- The next day, I download the release in a fresh VM (over a VPN) and write down the checksum
- The next day, I download the release on my daily laptop (over ISP) and write down the checksum
If the checksum is identical on all three days, then I can be fairly certain that its authentic (since it’s trivial to for many adversaries to MITM a TLS connection due to flaws in X.509, but the likelihood of executing this attack successfully on three distinct days on three distinct networks is near-zero).
Anyway, I finished my 3TOFU with the following hash of the latest phpList release:
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a phplist-3.6.14.zip
But when I went to download it on my server, I got a different hash!
938e9bdb64d8c042a04192e1fca42814d906e715ec9c2726756425a1be7e0791 phplist-3.6.14.zip
This is either an indication that someone at phpList has modified the release without notifying the community.
Or it’s an indication that someone has compromised the phpList publishing infrastructure and maliciously modified the release.
What happened here?