How do I verify integrity of downloaded software?
Can anyone point me to checksums or signatures for official releases of firmware, drivers, and slicer? Is there any other way to verify that the software was not tempered with?
Don't get me wrong. I trust Josef Prusa to produce virus free builds. However, when I download the software from the official website, the files come from a CDN (not Prusa), at least for me in Canada, and I don't trust CDNs. Most downloadable software these days come with a way to verify its integrity.
I haven't seen checksums offered
I'm not aware of any checksums being provided by Prusa. It's a good idea. You might make a suggestion over on the Prusa github page.
and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan
"However, when I download the software from the official website, the files come from a CDN (not Prusa), at least for me in Canada, and I don't trust CDNs."
I don't claim to be a web wizard, but that really doesn't sound right. I'd certainly do a malware scan IIWY. Failing that try making CDN untrusted.
@towlerg
Malware scan only scans for malware known to the scanner at the time of scanning. There is malware out there that the scanner has not yet learnt about, and when it does, it will be too late. Thus, I don't want to rely on malware scanners.
Not sure how to make CDN untrusted, and what it would accomplish. Could you please elaborate on this point?
Found one way to verify integrity of downloaded Prusa software.
Prusa uploads its builds to GitHub. I downloaded a build from GitHub and compared it to the build from cdn.prusa3d.com. They were packaged somewhat different but the core files were the same.
For the record, I'm talking about Linux builds here. The Windows builds must have an embedded signature, or windows will show a nasty message when you try to install it. Never had a Mac, so I don't know how it works there.