-
Suggestion
-
Resolution: Unresolved
-
None
-
5
-
22
-
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
We should add sha256 checksums for Confluence downloads and the Windows installer should have the certificate used to sign it updated as it is expired.
[CONFSERVER-25687] Provide sha256 checksums for downloads and Sign Windows installer package
https://getsupport.atlassian.com/browse/GHS-179655 Another request from Jira customer
We are also getting pushback from our security on this issue on all of our instances. Please incorporate this feature.
Best,
Amanda
Atlassian,
We are being chased by security on this. Any update is appreciated.
Cheers,
Gaj
Funet CERT
added a comment - It is standard procedure to review checksums of any downloads before you install and use it. But as there is no checksums available you should not download or test these possible malisious products. There is none good reason not to provide the prove of authenticity. And even you might trust the Atlassian's end the downloaded package could get exploited or got br0ken in transit. This is not the way you should provide binaries for you customers. So sad.
Funet CERT
added a comment - It is standard procedure to review checksums of any downloads before you install and use it. But as there is no checksums available you should not download or test these possible malisious products. There is none good reason not to provide the prove of authenticity. And even you might trust the Atlassian's end the downloaded package could get exploited or got br0ken in transit. This is not the way you should provide binaries for you customers. So sad. Hi I just noticed that the issue title has been changed so that it narrows down to "Sign Windows installer package" (not sure what that exactly means btw).
Please change it back as the issue does apply to ALL downloads.
THanks!
Hi all, just a quick update, this is something which we intend to address in the near future. Keep Watching for updates.
Matjaž Antloga - BalkanCloud IT
added a comment - 100% agree with Stefan.
Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads?
Matjaž Antloga - BalkanCloud IT
added a comment - 100% agree with Stefan.
Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads ?
Stefan
added a comment - This issue is 5 years old.
It seems no one is working on this. Does this issue get any attention from your side?
Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads?
Stefan
added a comment - This issue is 5 years old .
It seems no one is working on this. Does this issue get any attention from your side?
Dear Atlassians, can you please stop ignoring your paying customers and provide cryptographically signed downloads ?
Is this currently included or is it still discarded like a somehow picky request?
basic download checksums is, as you can see in the historic comments, highly requested.
Is the product vision including adaptability to cybersecurity standards and policies such as 27001 (to which file checksums are supportive)?
In case feature releases are a consequence of a voting system (pretty much a sales-drive feature-factory) let us know so we can gather tons of votes instead of requesting it by giving you a nudge about its usefulness