Security concerns for updates...

Forum tags: 

Very fine software.

I have an important security concern I'm hoping you can help solve.

Question 1:
How can I be sure the .xml updates are legitimate and from you,
what checks are in place? Is there a method to verify the updates via hash or key or otherwise?

Question 2:
Can I accept 'all' updates at once without having to click OK to each one?

Thank you much.

Because MD5 sums are weak, for each release I upload the SHA256 hash instead to SourceForge, and I sign the hash using my GPG key .

Can I accept 'all' updates at once without having to click OK to each one?

Yes, BleachBit version 0.7.1 adds this enhancement.

Andrew, lead developer

Thank you.

I am refering to the update that occurs while using debian linux, from
within the program for the xml (new), not the hash sum for the entire program.

Are the .xml updates able to be verified when bleachbit adds new ones, or is it that
the .xml updates only come with a complete new program update (verified via sha256 & key). ?

I may not understand your response correctly, is the verification 'only' available for a
complete 'new' program update ?

Best regards,

BleachBit is not Firefox in the way Firefox can get extension updates any time, so the CleanerML (XML) updates only come with a new BleachBit application.

If you get BleachBit from the Debian repository
1. Debian should be verifying the software from me and then digitally signing the .deb package
2. You shouldn't see the security warning dialog. It shouldn't show for CleanerML files in /usr/share

Andrew, lead developer

It would be very nice if there were also a SHA-256 hash for the windows installer .exe.

There is in the same place on SourceForge. For the latest release, look here

for the file called bleachbit-0.9.1-sha256sum.txt.asc

The line you are looking for is

f0090a058a11c6429827be0511d0c207ede306fe8f2b9003f54c4354618c2eae BleachBit-0.9.1-setup.exe

Andrew, lead developer