Hacker News new | ask | show | jobs
by kazinator 779 days ago
The problem is, the wrong party is doing the check (from a security point of view, not integrity).

When we download a script from a remote domain we don't trust, we have to validate its checksum against the known one; we can't leave that to the script, which we don't trust.
2 comments
joshspankit 778 days ago
In this case we’re specifically talking about the possibility of a truncated script from a trusted source
link
kevincox 779 days ago
99% of the time you are downloading from a domain that you do trust. This check is to detect corruption, not malice.

But yes, if you were downloading from an untrusted mirror you would want to check the signature or trusted hash before running the script at all.

link