Provide hashes for developer tools downloads
| Originator: | neocool2 | ||
| Number: | rdar://22799322 | Date Originated: | 22-Sep-2015 02:28 PM |
| Status: | Closed | Resolved: | |
| Product: | Developer Tools | Product Version: | any |
| Classification: | Security | Reproducible: | Always |
Summary: Currently, we have no way to check the integrity of any developer tools downloaded from apple.com. In lieu of things like XcodeGhost (http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/), there should be a list of strong cryptographic hashes for all developer tools downloads. This list should be signed with Apple’s PGP key (https://www.apple.com/support/security/pgp/). Steps to Reproduce: Download anything from the developer portal. Expected Results: Developers should be able to verify the integrity of the download in a cryptographically secure manner. Actual Results: We assume everything is fine. ¯\_(ツ)_/¯ Regression: - Notes: -
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Please include the line below in follow-up emails for this request.
Follow-up: 631460032
Hello,
The following article should help to answer your question:
https://developer.apple.com/news/?id=09222015a