Rigol software digital signatures and trust worthiness?

[jpyeron]

Ug... they are delivering unsigned installers via HTTP, shame on you Rigol.

Has anyone else verified these files as safe, legitimate, etc?

http://cdn-ci73.actonsoftware.com/acton/cdna/1579/f-0114/0/7 (UltraStation setup.zip)
http://beyondmeasure.rigoltech.com/acton/attachment/1579/f-04de/1/-/-/-/-/rgds1kz.msi

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-07e9/1/-/-/-/-/Ultra%20Sigma_00_01_06_01.zip
https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-0770/1/-/-/-/-/UltraScope%28PC%29Installer_00.01.01.07.zip

I got the following SHA256 hashes:
66854b09414b8cf975b9d0770520f26d063f28eed60790d967c8b36f2d74bffe *Ultra Sigma_00_01_06_01.zip
2e56f225d171710eb4fab24b0adabf2b27de3284473b43669f8da7ca84dfd800 *UltraScope(PC)Installer_00.01.01.07.zip
11408cce0a93a3fdb3861d7bd496c5a5f54b09ffb5b4524f981660a9ba096696 *UltraStation setup.zip
1c2265bb91693fd85571b584459a695919af09d9015784afbac2bcc8d2674cf0 *rgds1kz.msi
4a6d516828189b92abcf5805bc11f4350ddf19ac822655187f7025261adae4e2 *UltraScope(PC)Installer_00.01.01.07/UltraScope setup.exe
8924812952a36cb36b8d8ef926d9a153ab2d7f59321a8e61befe3180b32d01cf *UltraStation setup/Ultra Station setup.exe
9435f902680d032c3876c0f843490d99cb1383f22e5c04d71ff44d8072014cd3 *Ultra Sigma_00_01_06_01/Ultra Sigma(PC)Installer_00.01.06.01/setup.exe

None of the files are authenticode signed:
UltraScope(PC)Installer_00.01.01.07/UltraScope setup.exe
UltraStation setup/Ultra Station setup.exe
rgds1kz.msi
Ultra Sigma_00_01_06_01/Ultra Sigma(PC)Installer_00.01.06.01/setup.exe


Before anyone else asks:
SHA1 / MD5
148e32c497584f0fac634441a38b59e08cae6082 *Ultra Sigma_00_01_06_01.zip
ddc5e8e2e61101f0fc175c21c5f8ba97b9f418cd *UltraScope(PC)Installer_00.01.01.07.zip
3c93cf10d3413ca5d65e96f307ad737e52643d51 *UltraStation setup.zip
992675167f4316df5f3ddbbd0851e712046a9d0a *rgds1kz.msi
1bad84f81d56b93dd20a5a20732d3ee1 *Ultra Sigma_00_01_06_01.zip
0b0f8ace1046426252fdc02b5c2a5056 *UltraScope(PC)Installer_00.01.01.07.zip
7c27c4256aae3f0c891e7aa1094f1ddc *UltraStation setup.zip
40eb3a3236eab6759a3f76e28f1d8679 *rgds1kz.msi

[tv84]

Ug... they are delivering unsigned installers via HTTP, shame on you Rigol.

Has anyone else verified these files as safe, legitimate, etc?

Why do you suspect the hashes if all your files are different?

[jpyeron]

Ug... they are delivering unsigned installers via HTTP, shame on you Rigol.

Has anyone else verified these files as safe, legitimate, etc?

Why do you suspect the hashes if all your files are different?

I suspect any file that has no documented provenance.  A digital signature is an electronic signature that is used to authenticate the identity of the individual or organization that signed a file (for example a program, a document, etc). The digital signature will also make sure that the original content of the file has not been changed. All I know at this point and time is:

1. "someone" on the internet provided me the above files. Was that someone actually Rigol?
2. Those files require administrative privileges concurrent with network access. Which means they could cause significant damage.

I posted this question to:

1. verify the files I received are the same as Rigol actually intended to provide.
2. After achieving #1, then anyone else searching with the same question for the same answer will see this thread and get the results of #1.

[rdsi]

Has anyone else verified these files as safe, legitimate, etc?

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-07e9/1/-/-/-/-/Ultra%20Sigma_00_01_06_01.zip

I got the following SHA256 hashes:
66854b09414b8cf975b9d0770520f26d063f28eed60790d967c8b36f2d74bffe *Ultra Sigma_00_01_06_01.zip

SHA1 / MD5
148e32c497584f0fac634441a38b59e08cae6082 *Ultra Sigma_00_01_06_01.zip

I got the same hashes as you for this file and had no problems installing/running it.
I also installed another program called "Ultra IQ Station(PC)update_00.02.00.23.zip" without incidence...

[Fungus]

I downloaded it from the Rigol site a few years ago and instantly regretted installing it. It's truly awful, one of the worst pieces of software ever written.

If you want to send SCPI commands, use telnet.

If you want remote control, Sigrok (or any of the others...depending on your OS)

[BravoV]

Hint: When it comes to something new that you can live without, but just curiousity, use VM.

[tv84]

I suspect any file that has no documented provenance.  A digital signature is an electronic signature that is used to authenticate the identity of the individual or organization that signed a file (for example a program, a document, etc). The digital signature will also make sure that the original content of the file has not been changed. All I know at this point and time is:

1. "someone" on the internet provided me the above files. Was that someone actually Rigol?
2. Those files require administrative privileges concurrent with network access. Which means they could cause significant damage.

1. https://beyondmeasure.rigoltech.com/ is Rigol's domain for the software distribution.
2. You did the download via https.

If you don't trust Rigol's own server what makes you trust Rigol's software contents? A digital signature doesn't validate the good intents of a piece of software.

[jpyeron]

I suspect any file that has no documented provenance.  A digital signature is an electronic signature that is used to authenticate the identity of the individual or organization that signed a file (for example a program, a document, etc). The digital signature will also make sure that the original content of the file has not been changed. All I know at this point and time is:

1. "someone" on the internet provided me the above files. Was that someone actually Rigol?
2. Those files require administrative privileges concurrent with network access. Which means they could cause significant damage.

1. https://beyondmeasure.rigoltech.com/ is Rigol's domain for the software distribution.
2. You did the download via https.

If you don't trust Rigol's own server what makes you trust Rigol's software contents? A digital signature doesn't validate the good intents of a piece of software.

re #2, no some of the files were via HTTP.

re why trust the distribution server less than the software development publishing process?  - Because we have seen too many times that a distribution channel was compromised. At least if the files were signed at publish time you know that the signer's "intents" are unmodified.

[jpyeron]

I got the same hashes as you for this file and had no problems installing/running it.
I also installed another program called "Ultra IQ Station(PC)update_00.02.00.23.zip" without incidence...

Good to know, thanks!

[jpyeron]

I downloaded it from the Rigol site a few years ago and instantly regretted installing it. It's truly awful, one of the worst pieces of software ever written.

If you want to send SCPI commands, use telnet.

If you want remote control, Sigrok (or any of the others...depending on your OS)

Yep, painfully obvious - after the fact.