PDA

View Full Version : Possibly provide a checksum for the SuperDuper download?


ReddSmith
06-19-2007, 08:50 PM
Can Shirt-Pocket possibly provide a checksum, such as a SHA-1 digest, for the SuperDuper! download disk image file? This would be for individuals who want to verify the authenticity of the file, so that they can be reasonably sure the file was "not fooled around with" either on your server, or in-transit, or on their own computer. I notice Apple provides a SHA-1 digest for some support downloads.

dnanian
06-19-2007, 09:55 PM
I'll see what I can do, Redd. In general, though, our users wouldn't have any idea how to use a checksum...

ReddSmith
06-19-2007, 11:56 PM
The type of folks who have discovered and are considering SuperDuper! may be more knowledgeable than you think, but yes, not everyone would appreciate the value of a checksum. The fact that Apple supplies a SHA-1 digest for public downloads indicates they appreciate it, so maybe we should too. At least it appeals to me, as someone who has spent too many years using Winders, where the security vendors scare us into a spyware/malware mindset. Regarding the presentation of the info, here is a cut-and-paste example from an Apple update. Perhaps you could include the same references/links for the "About..." and "How to Verify..." to satisfy the educational and instructional requirements:

Security Update 2007-005 v1.1 (Universal) SHA1 Digest:
SecUpd2007-005Univ.dmg=
539f872ac444dc707d73991a914c58ed32d51677

25490: "Mac OS X: About SHA-1 Digest and Software Downloads"
http://www.info.apple.com/kbnum/n25490

75510: "Mac OS X: How to Verify a SHA-1 Digest"
http://www.info.apple.com/kbnum/n75510

dnanian
06-20-2007, 08:19 AM
I'll consider it, Redd. Thanks again for the suggestion.

Timmy
06-23-2007, 01:30 PM
One thing that I never understood about providing a hash for software distribution verification is: If an attacker is able to gain access to the distribution servers and modify the application distribution, then doesn't it stand to reason that they could also replace the webpage or file that gives the hash sting with a modified hash of the altered distribution...?

What am I missing here?

dnanian
06-23-2007, 01:37 PM
You're absolutely right, Timmy: it's something I've wondered about myself.

ReddSmith
06-25-2007, 12:04 PM
Posting the checksum might also require a note/disclaimer that this method provides a "reasonable" (or even a "high probability") means of verification, but is not a guarantee. I don't know that you could quantify the terms "reasonable" or "high probability", other than that they mean "better than nothing".

Any further steps would add to the Shirt-Pocket personnel task list. For example, they check their web site at least daily to verify the posted checksums. Or develop a process where the user optionally supplies his email address at the time of download; this will cause a checksum to be dynamically generated from the production library authentic copy of the file and sent to the user, bypassing problems from web page hacking.

Timmy
06-25-2007, 05:44 PM
ReddSmith, you mentioned having experience with Windows.
Is there an app like SuperDuper that you can recommend for copying an entire volume (Windows system files, application files, user files, etc.)

SuperDuper lets us make a 'bootable' clone to an external drive which can actually be used to boot the system.
Does this concept exist for XP/Vista?

ReddSmith
06-25-2007, 08:34 PM
Your question is a little off-topic from checksums, but for your info, I use Norton Ghost from Symantec Corporation. Among the many features is the ability to "copy a drive" (think "volume" in Mac terminology) which will create a bootable clone. One site from which you might start your Ghost education is http://nortonghost.radified.com/ . Now, I hope we won't be banned from the SuperDuper! board.

dnanian
06-25-2007, 08:36 PM
Why would you be banned? No problem answering a question like that.

Timmy
06-26-2007, 04:43 PM
Your question is a little off-topic from checksums, but for your info, I use Norton Ghost from Symantec Corporation. Among the many features is the ability to "copy a drive" (think "volume" in Mac terminology) which will create a bootable clone. One site from which you might start your Ghost education is http://nortonghost.radified.com/


Thanks much for the info.
I also see that Acronis TruImage is recommended by some other posters in the forum.
I don't actually use Windows yet, but I'm actually thinking of (gasp) switching!

Now, I hope we won't be banned from the SuperDuper! board.
Heh!
I doubt Dave will ban us for being off-topic, but he might ban me for talking about switching... :eek:

egis
12-03-2009, 06:27 PM
Given that Time Machine is causing headaches for lots of users (see macintouch and other Mac sites), I bring up this thread from 2007. I use Time Machine via a Time Capsule and I also backup to a separate external HD via SuperDuper.
It would really be effective if SuperDuper provided a way to schedule a back up to copy only selected files and folders rather than copy an entire volume as a volume or a disk image. It would also be great to have checksums generated in the log file from the backups so I can compare it to original files in case of silent data corruption.

It seems from the thread that these are general feature requests that more expert users could readily use, so I hope we might resurrect this and see it appear in a future release.

If you have in fact provided these capabilities I would like to know how I access them

thanks

EGIS

dnanian
12-03-2009, 06:31 PM
I have no plans to add checksums, EGIS, sorry... checksumming a million files every time you back up seems impractical and time consuming. Keeping multiple backups of any important data is a more reasonable approach, I think, on a redundant device (e.g. RAID, Drobo, etc).

You can certainly back up selected files by writing a copy script if you want. I encourage you to back everything up, though.