MichaIng
Run and show Virustotal scan results on download page
Creating a feature request
Thanks for this awesome project!
Is your feature request related to a problem? Please describe:
No direct problem, just general fear of infecting the home network. I am neither an IT expert nor a security expert, but I would feel safer in general if there was the possibility to verify the download with GPG to be sure that the image is from the original author.
Describe the solution you'd like:
I would like to have a way to verify the downloaded image. You already provide a SHA256 hash, but probably it is possible to extend this with a gpg signature check? (guide example see KeepassXC) Additionally it would be nice to see the result of a Virustotal scan per image. Yes this could be donw by the user but probably you can automatically do this during the build process.
Describe alternatives you've considered:
Virustotal scan can be done by the user itself, he/she has only to wait (depending on upload speed).
Vote for this feature on FeatHub: https://feathub.com/MichaIng/DietPi/+215
Many thanks for your suggestion.
It was asked already for having the hashes online and for the archive, instead of as part of the archive for the contained image. If I'm not wrong, checksums are part of the 7z archive format, checked by the unarchivers already, so the integrity of the contained image actually does not need to be checked.
So I like the idea of covering online integrity checks of the archive, before extracting it and adding authenticity via DietPi GPG signature. I need to dig into how to have this verified and added to known key servers, but we can show the signature on our download page for now.
I plan to create an own APT server as well (we already maintain a few DEB packages), so a DietPi GPG key is required anyway.
I transferred the issue to the website repository, where it fits better, and focused it on the automated AV scan. The other request to add download signatures is tracked here: #118