Search Unity

  1. Calling all beginners! Join the FPS Beginners Mods Challenge until December 13.
    Dismiss Notice
  2. It's Cyber Week at the Asset Store!
    Dismiss Notice

How can I verify the Unity editor that I've download?

Discussion in 'Getting Started' started by rdjig, Feb 2, 2015.

  1. rdjig

    rdjig

    Joined:
    Sep 4, 2013
    Posts:
    1
    Hi there,

    Just getting started with Unity and quite enjoying watching the tutorials so far. Everything is very well documented and the community seem quite helpful.

    On downloading 4.6.2 for OS X I was hoping there would be a shasum or at least an https endpoint to download Unity builds. Currently clicking download only send me to "http://netstorage.unity3d.com/unity/unity-4.6.2.dmg" I tried swap it with 'https' but it seems their certs are not valid. I'm not really a big fan of installing software that requires my admin password without being able to verify at some level.

    What do people who have the OS X version of 4.6.2 get when they run:

    Code (bash):
    1. openssl sha1 unity-4.6.2.dmg
    I've done a bit of searching around the documentation and community areas, but have been unable to find an answer. Apologies if I've totally missed something obvious.

    Thanks!
     
  2. LunaticEdit

    LunaticEdit

    Joined:
    May 1, 2014
    Posts:
    59
    You do realize dmg files themeselves are typically digitally signed, right? I'm assuming the unity ones are too. Assuming you have the latest version of OSX, it will straight up prevent you from running unsigned dmg files unless you shift-right-click and click open.

    http://support.apple.com/en-us/HT202491

    Also...

    Https does not ensure your file download is legit. It only ensures your connection to the download cannot be snooped/spoofed from ~most~ sources.

    Sha1 does not ensure your file download is legit. It only ensures you got the same file as the person who's sha1 your comparing to. If they have a virus and release an infected build, your SHA1 will match, including said virus.

    All in all, if you're this concerned about downloading a game development system without getting something bad, you're either being paranoid for no reason, or are doing a lot of illicit things and are wary of unwanted attention, as no government (the guys who can hijack any of the above measures) is going to waste their time modifying unity installer files.

    Download the file, take a deep breath, and enjoy. You're far more likely to get infected on youtube.com than you are on here.
     
    Last edited: Feb 3, 2015
  3. boolfone

    boolfone

    Joined:
    Oct 2, 2014
    Posts:
    289
    I get:

    SHA1(unity-4.6.2.dmg)= 5ecf137ad7c51e4260df9ca28220dd0195e78def

    Also, it appears to be 1809900084 bytes.
     
  4. Aurore

    Aurore

    Head of Learn Content Production Unity Technologies

    Joined:
    Aug 1, 2012
    Posts:
    3,104
    netstorage.unity3d.com is most definitely ours.

    As long as you always download Unity from our site, you're safe.
     
  5. BadPractice

    BadPractice

    Joined:
    Dec 7, 2013
    Posts:
    8
    @rdjig:
    Thank you so much just for asking that question. Just to see that I am not the only person who gives a **** about security in the age of cyberwar helps my sanity!

    @Aurore:
    Your link has an invalid HTTPS certificate. Just because the server is hosted by Unity does not mean its save to Download. See TCP/IP hijacking https://en.wikipedia.org/wiki/IP_hijacking

    I am not speaking hypothetical here! The lack of package validation on development tools has led to considerable security breaches in the past. See http://variety.com/2015/digital/new...-infected-apps-from-the-app-store-1201598650/

    Either fix that certificate or host hashes (sha1 not md5) somewhere where the HTTPS certificate checks out. Even better it would be if you sign downloads with a gpg key and host it on key servers.
     
  6. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,565
    Posting in the forums is also likely to be a vector for infection. You probably shouldn't do that any more

    :p
     
  7. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    14,899
  8. BadPractice

    BadPractice

    Joined:
    Dec 7, 2013
    Posts:
    8
    @Ryiah
    Security breaches like that happen all the time. I dont know why everyone thinks it cant happen to Unity3d (which has FAR less protection then linux mint)

    Im not asking for something crazy paranoid here. Its state of the art package verification!
     
  9. BadPractice

    BadPractice

    Joined:
    Dec 7, 2013
    Posts:
    8
    No it is not. If you cant tell the difference in security between
    • visiting a forum through HTTPS
    and
    • running random executables on your system you never bothered to check whatsever
    i pity you!

    You are developing for customers! If you dont care about your customers security fine! Just stop herassing people who try to create reputable software
     
  10. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    14,899
    Wouldn't more secure OSes (I'm primarily thinking Linux here but it might include OS X) pretty much eliminate the threat?
     
  11. BadPractice

    BadPractice

    Joined:
    Dec 7, 2013
    Posts:
    8
    Well not exactly.

    Linux and OS X have build package store where you can get like 99% of the software you want (free and payed). Everything you download from there is automatically verified and completely secure.

    However for the last 1% of software (unity3d fits in here) you have to browse the www just like a Windows user. Everything you download here is not secure! Although Linux/OS X provides really handy tools to verify this, you still have to do it by hand.

    Doing so usually means:
    • Generating a string with a hashing algorithm such as SHA (boolfone for example posted one earlyer)
    • Looking on the developers homepage for a hash string (make sure to use HTTPS)
    • Compere the strings
    If they are identically it means your executable is the same as the developer WANTED to give you. Noone tinkered around on it, its verified and secure.

    If that is not enough security for you (it is for me) there is although the posibillity to sign hash values with asymetric encryption (such as gpg) but lets stop here. This is advanced.

    Now my problem is: Unity3d does not provide hash sums for there downloads. I cant verify if the version i have recieved a legit version of Unity.