Mismatch checksum from certificate on birt.exe
From the ML:
Issue: Digital Signatures Failing Integrity Validation Checks
Reviewed Versions: 4.18.0 & 4.19.0
Source Downloaded from: https://www.eclipse.org/
Affected File: birt.exe
Affected File Path: binary/org.eclipse.birt.
Problem Synopsis:
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. Signatures contain a cryptographic hash of the object they are signing. Any mismatch between the expected and computed hashes is reported as an integrity validation failure.
Problem Impact: With a growing trend in Supply Chain attacks, it is vital for application developers to sign their products prior to release to ensure that no unauthorized modification is performed to the package prior to it being utilized by end users. With these integrity validation errors we are unable to confirm how "complete" and "trusted" this software may be irrespective as to where it was obtained from. An insider threat or malicious actor may have altered the code base of the application and rehosted it for download in an attempt to infect numerous Eclipse Foundation users who may wish to download the BIRT tool.
Recommendations:
- Inspect the software package for malicious software supply chain tampering.
- If there is no evidence of tampering, re-sign and re-publish the software component.
- If there are any post-signing processes that might modify the software package, move them to an earlier point in the release process.
Would it be possible for the development team to review this request and ensure that the package is signed correctly and that the integrity of the code has not been altered in any way since the package was signed?