While installing content from several major vendors over the last year, and on more than one occasion, I’ve encountered warning messages saying that that amongst the hundred or so files included in the download that there is some “unsigned content”.
Talk about making you pause! Are you suppose to trust that download? What are you suppose to do, post a forum comments or send an email and possibly wait a day or two for an answer? That certainly seems like a best practice.
I didn’t feel like waiting that long. So, I checked to see which files weren’t authorized and diff’d the code against earlier builds that, at least according to my notes, contained valid software. But, what if that particular class had changed, then I suppose I would have to get in contact with support? I understand that mistakes get made, but this is software that needs to be secure…such as Apache. My point is I should not have to do my own checking and it certainly doesn’t instill trust. And, I’m sure there are many other users who simply click thru the warnings and hope for the best.
Some of you might also be thinking you should run the checksum, but one of the downloads doesn’t offer that as an option. Now these are major vendors that distribute hundreds of thousands of downloads every year. How simple would it be for them to test their download?
My conclusion: When you provide downloadable software, always test your downloads…Especially if they contain trusted certificates. It only takes a few minutes and your end users will appreciate it.