Hacker News new | past | comments | ask | show | jobs | submit login

A checksum can only tell you if the file is identical to another. Even if it did - you downloaded the file from untrusted location for a reason - you don't have access to original source.

Checksums are useless if you don't have access to an alternative source.




Xcode.app includes a digital signature, which can be checked with `codesign`. As all OS X comes bundled with Apple's root certificate, one can check for the validity of that application by oneself without any additional trusted source.

Or if the developers never disable GateKeeper and read the warning, they will know that the application is not genuine.


Of course being China, of course Gatekeeper is totally disabled and no one has valid signatures on anything unless it's absolutely required


> you don't have access to original source.

Not true, they have access to original XCode (and checksum), but the download speed is very slow.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: