How can I verify the Unity editor that I've download?

Hi there,

Just getting started with Unity and quite enjoying watching the tutorials so far. Everything is very well documented and the community seem quite helpful.

On downloading 4.6.2 for OS X I was hoping there would be a shasum or at least an https endpoint to download Unity builds. Currently clicking download only send me to "http://netstorage.unity3d.com/unity/unity-4.6.2.dmg" I tried swap it with 'https' but it seems their certs are not valid. I'm not really a big fan of installing software that requires my admin password without being able to verify at some level.

What do people who have the OS X version of 4.6.2 get when they run:

Code (bash):

1. openssl sha1 unity-4.6.2.dmg

I've done a bit of searching around the documentation and community areas, but have been unable to find an answer. Apologies if I've totally missed something obvious.

Thanks!

 

You do realize dmg files themeselves are typically digitally signed, right? I'm assuming the unity ones are too. Assuming you have the latest version of OSX, it will straight up prevent you from running unsigned dmg files unless you shift-right-click and click open.

http://support.apple.com/en-us/HT202491

Also...

Https does not ensure your file download is legit. It only ensures your connection to the download cannot be snooped/spoofed from ~most~ sources.

Sha1 does not ensure your file download is legit. It only ensures you got the same file as the person who's sha1 your comparing to. If they have a virus and release an infected build, your SHA1 will match, including said virus.

All in all, if you're this concerned about downloading a game development system without getting something bad, you're either being paranoid for no reason, or are doing a lot of illicit things and are wary of unwanted attention, as no government (the guys who can hijack any of the above measures) is going to waste their time modifying unity installer files.

Download the file, take a deep breath, and enjoy. You're far more likely to get infected on youtube.com than you are on here.

 

I get:

SHA1(unity-4.6.2.dmg)= 5ecf137ad7c51e4260df9ca28220dd0195e78def

Also, it appears to be 1809900084 bytes.

 

netstorage.unity3d.com is most definitely ours.

As long as you always download Unity from our site, you're safe.

 

@rdjig:
Thank you so much just for asking that question. Just to see that I am not the only person who gives a **** about security in the age of cyberwar helps my sanity!

@Aurore:
Your link has an invalid HTTPS certificate. Just because the server is hosted by Unity does not mean its save to Download. See TCP/IP hijacking https://en.wikipedia.org/wiki/IP_hijacking

I am not speaking hypothetical here! The lack of package validation on development tools has led to considerable security breaches in the past. See http://variety.com/2015/digital/new...-infected-apps-from-the-app-store-1201598650/

Either fix that certificate or host hashes (sha1 not md5) somewhere where the HTTPS certificate checks out. Even better it would be if you sign downloads with a gpg key and host it on key servers.

 

Posting in the forums is also likely to be a vector for infection. You probably shouldn't do that any more

 

At one point I don't think I would have cared that much but the recent problem with Linux Mint changed my mind. Their website was hacked due to insufficient security and their ISOs were replaced with ones that were modified to include malware.

http://arstechnica.com/security/201...n-on-its-website-and-forum-after-hack-attack/
http://www.pcworld.com/article/3042...ing-future-hacks-and-increasing-security.html

 

@Ryiah
Security breaches like that happen all the time. I dont know why everyone thinks it cant happen to Unity3d (which has FAR less protection then linux mint)

Im not asking for something crazy paranoid here. Its state of the art package verification!

 

No it is not. If you cant tell the difference in security between

• visiting a forum through HTTPS

and

• running random executables on your system you never bothered to check whatsever

i pity you!

You are developing for customers! If you dont care about your customers security fine! Just stop herassing people who try to create reputable software

 

Wouldn't more secure OSes (I'm primarily thinking Linux here but it might include OS X) pretty much eliminate the threat?

 

Well not exactly.

Linux and OS X have build package store where you can get like 99% of the software you want (free and payed). Everything you download from there is automatically verified and completely secure.

However for the last 1% of software (unity3d fits in here) you have to browse the www just like a Windows user. Everything you download here is not secure! Although Linux/OS X provides really handy tools to verify this, you still have to do it by hand.

Doing so usually means:

• Generating a string with a hashing algorithm such as SHA (boolfone for example posted one earlyer)
  
• Looking on the developers homepage for a hash string (make sure to use HTTPS)
  
• Compere the strings

If they are identically it means your executable is the same as the developer WANTED to give you. Noone tinkered around on it, its verified and secure.

If that is not enough security for you (it is for me) there is although the posibillity to sign hash values with asymetric encryption (such as gpg) but lets stop here. This is advanced.

Now my problem is: Unity3d does not provide hash sums for there downloads. I cant verify if the version i have recieved a legit version of Unity.