Author

Topic: Are xmrig downloads checksum available? (Read 240 times)

legendary
Activity: 3808
Merit: 1723
November 23, 2019, 01:25:25 AM
#13
Generally what people do is they post the checksum in their official thread from the official username. This might be tedius however since with every small update they would need to post a new checksum everytime.

So a better approach is to include their PGP which is hosted somewhere safe like some University website or some other location other than where the software is downloaded from.

I don't think Claymore will start doing this however. I've asked him for years and the furthest I've gone with his request was that I took the SHA256Sum of his package and he just verified in a post that it was indeed the same checksum and that was it.
newbie
Activity: 1
Merit: 0
November 22, 2019, 03:00:22 PM
#12
The author of XMRig posts on Twitter, he could add the checksum for each new version there at the time of announcement...
Not possible include checksums to Twitter post, simple because it too big.
newbie
Activity: 36
Merit: 0
November 22, 2019, 01:54:34 AM
#11
The author of XMRig posts on Twitter, he could add the checksum for each new version there at the time of announcement...
member
Activity: 116
Merit: 66
November 21, 2019, 07:45:02 AM
#10
You are right on this. But a safer way could be to publish the checksums on a different web server... For example github for the executables and the project site for the checksums. This is not 100% safe, but it require two different servers to be violated concurrently.
There is a PGP signature available and the key is also published on a separate site: https://xmrig.com/docs/gpg-key
I think it's safe enough unless both github account and the web-site are hacked.
hero member
Activity: 1442
Merit: 578
November 21, 2019, 07:28:28 AM
#9
There's not much sense in checksum's on the github page itself, if the files were to be changed by unauthorized person then he got access as well to the page with checksums which he will surely *update* Wink
Signatures could be stolen too.

You are right on this. But a safer way could be to publish the checksums on a different web server... For example github for the executables and the project site for the checksums. This is not 100% safe, but it require two different servers to be violated concurrently.

The only sure way is to check the whole code I assume... little paranoid, but if you want to be 100% sure...

Imagine if the dev computer that he works on was infected and even he didn't know that unauthorized person added some code, he would then generate checksums for infected files without even knowing it.

Welcome to the world of Paranoia Wink

I hope that big projects could do a lot of beta testing... can't see another way to work on this kind of issue.

member
Activity: 116
Merit: 66
November 21, 2019, 05:05:10 AM
#8
XMRig has also added PGP signature to verify SHA256 hashes for the 5.0.1 release today.
sr. member
Activity: 861
Merit: 281
November 21, 2019, 03:33:51 AM
#7
I am guessing that unlike wallets which keep private keys, most people run the software on a dedicated mining rig which does nothing but mine. So there are no private keys or anything. However there are people that mine with their personal computer that they use on a daily basis and they would like assurances that its not malware.

That is true. When the news came about the wallets being malicious at getmonero website. I was really concerned as I just set up the wallet hours ago in my personal rig with Ryzen 1700 to be ready when the algorithm transition hits. I was safe as I downloaded the binaries directly from the GitHub page and the hash matched but I cannot imagine how much damage it could have caused instead.

For some weird reason, many of the miner software almost never has any type of checksum or signatures available. Its been like this for years and no idea why. It looks like you were provided the checksum for XMRIG however many software like Claymore's is never available.

I've posted this on the official Claymore threads and I kept telling the guy to "Please post checksum or your signature so we can verify the download". And he usually never replied to my post. It became an issue because his downloads started getting flagged as viruses and you couldn't tell if it was a false positive or not. But he still wouldn't post the checksum. No idea why.

I hope that everyone does follow this whenever they upload their new software may it be a miner, an OS image or anything as it makes it so much easier to verify that you have the authenticate file and also to download directly from GitHub or compile the software on your own.
legendary
Activity: 3808
Merit: 1723
November 20, 2019, 11:03:05 PM
#6
For some weird reason, many of the miner software almost never has any type of checksum or signatures available. Its been like this for years and no idea why. It looks like you were provided the checksum for XMRIG however many software like Claymore's is never available.

I've posted this on the official Claymore threads and I kept telling the guy to "Please post checksum or your signature so we can verify the download". And he usually never replied to my post. It became an issue because his downloads started getting flagged as viruses and you couldn't tell if it was a false positive or not. But he still wouldn't post the checksum. No idea why.

I am guessing that unlike wallets which keep private keys, most people run the software on a dedicated mining rig which does nothing but mine. So there are no private keys or anything. However there are people that mine with their personal computer that they use on a daily basis and they would like assurances that its not malware.
hero member
Activity: 1442
Merit: 578
November 20, 2019, 07:56:27 AM
#5

...

You're welcome!
I think you may have heard about the latest cli precompiled monero wallets being malicious in the getmonero website.
Someone found out that the checksum for the wallet downloaded from the website wasn't the same and it contained malware.
Source: https://amp.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/

I never did the verification for the files but now I feel like it's a mandatory step to take if you download any software from the internet.

Yes i've heard about the latest precompiled monero wallets... that's why i started seaching for xmrig checksum.

Two days ago i didn't download the monero wallet, but i downloaded the new version of xmrig... so after reading of the problems with monero wallet i wanted to verify my xmrig downloaded files and couldn't find the checksum, so i started this topic.

Anyhow, my downloaded xmrig build checksum it's ok!

sr. member
Activity: 861
Merit: 281
November 20, 2019, 04:54:41 AM
#4

Thanks for your reply.

Now I can see the sha256 hash too. A few hours ago, when I posted the fist message the hash list wasn't there, as for older releases that are still without hash checksum. Probably they added it later. I don't know if the developer have read my post or if someone else made this request... Anyhow this is good for XMRig.

You're welcome!
I think you may have heard about the latest cli precompiled monero wallets being malicious in the getmonero website.
Someone found out that the checksum for the wallet downloaded from the website wasn't the same and it contained malware.
Source: https://amp.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/

I never did the verification for the files but now I feel like it's a mandatory step to take if you download any software from the internet.
hero member
Activity: 1442
Merit: 578
November 19, 2019, 02:34:00 PM
#3
Well, it is available in their Github repository itself.
Please check if the browser that you are using is able to display it as I had really no issues finding the SHA-256 checksum for the files.

....


Thanks for your reply.

Now I can see the sha256 hash too. A few hours ago, when I posted the fist message the hash list wasn't there, as for older releases that are still without hash checksum. Probably they added it later. I don't know if the developer have read my post or if someone else made this request... Anyhow this is good for XMRig.
sr. member
Activity: 861
Merit: 281
November 19, 2019, 01:41:04 PM
#2
Well, it is available in their Github repository itself.
Please check if the browser that you are using is able to display it as I had really no issues finding the SHA-256 checksum for the files.
Here take a look:
hero member
Activity: 1442
Merit: 578
November 19, 2019, 09:52:24 AM
#1

I would like to verify the file integrity of the downloaded xmrig precompiled builds. I'm talking about the files that can be downloaded from xmrig official github. I don't know where to find the official checksum of those files, i've looked both on gibhub (https://github.com/xmrig/xmrig/releases) and on (xmrig.com) but couldn't find anything.

Anybody know if the checksums are published and where to find them?

Thank you.
Jump to: