Author Topic: Rigol software digital signatures and trust worthiness?  (Read 332 times)

ToThePub, TurboTom, KE5FX and 2 Guests are viewing this topic.

Offline jpyeron

  • Contributor
  • Posts: 27
  • Country: us
Rigol software digital signatures and trust worthiness?
« on: Yesterday at 04:31:42 am »
Ug... they are delivering unsigned installers via HTTP, shame on you Rigol.

Has anyone else verified these files as safe, legitimate, etc?

http://cdn-ci73.actonsoftware.com/acton/cdna/1579/f-0114/0/7 (UltraStation setup.zip)
http://beyondmeasure.rigoltech.com/acton/attachment/1579/f-04de/1/-/-/-/-/rgds1kz.msi

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-07e9/1/-/-/-/-/Ultra%20Sigma_00_01_06_01.zip
https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-0770/1/-/-/-/-/UltraScope%28PC%29Installer_00.01.01.07.zip

I got the following SHA256 hashes:
66854b09414b8cf975b9d0770520f26d063f28eed60790d967c8b36f2d74bffe *Ultra Sigma_00_01_06_01.zip
2e56f225d171710eb4fab24b0adabf2b27de3284473b43669f8da7ca84dfd800 *UltraScope(PC)Installer_00.01.01.07.zip
11408cce0a93a3fdb3861d7bd496c5a5f54b09ffb5b4524f981660a9ba096696 *UltraStation setup.zip
1c2265bb91693fd85571b584459a695919af09d9015784afbac2bcc8d2674cf0 *rgds1kz.msi
4a6d516828189b92abcf5805bc11f4350ddf19ac822655187f7025261adae4e2 *UltraScope(PC)Installer_00.01.01.07/UltraScope setup.exe
8924812952a36cb36b8d8ef926d9a153ab2d7f59321a8e61befe3180b32d01cf *UltraStation setup/Ultra Station setup.exe
9435f902680d032c3876c0f843490d99cb1383f22e5c04d71ff44d8072014cd3 *Ultra Sigma_00_01_06_01/Ultra Sigma(PC)Installer_00.01.06.01/setup.exe

None of the files are authenticode signed:
UltraScope(PC)Installer_00.01.01.07/UltraScope setup.exe
UltraStation setup/Ultra Station setup.exe
rgds1kz.msi
Ultra Sigma_00_01_06_01/Ultra Sigma(PC)Installer_00.01.06.01/setup.exe


Before anyone else asks:
SHA1 / MD5
148e32c497584f0fac634441a38b59e08cae6082 *Ultra Sigma_00_01_06_01.zip
ddc5e8e2e61101f0fc175c21c5f8ba97b9f418cd *UltraScope(PC)Installer_00.01.01.07.zip
3c93cf10d3413ca5d65e96f307ad737e52643d51 *UltraStation setup.zip
992675167f4316df5f3ddbbd0851e712046a9d0a *rgds1kz.msi
1bad84f81d56b93dd20a5a20732d3ee1 *Ultra Sigma_00_01_06_01.zip
0b0f8ace1046426252fdc02b5c2a5056 *UltraScope(PC)Installer_00.01.01.07.zip
7c27c4256aae3f0c891e7aa1094f1ddc *UltraStation setup.zip
40eb3a3236eab6759a3f76e28f1d8679 *rgds1kz.msi
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1568
  • Country: pt
Re: Rigol software digital signatures and trust worthiness?
« Reply #1 on: Yesterday at 07:54:20 am »
Ug... they are delivering unsigned installers via HTTP, shame on you Rigol.

Has anyone else verified these files as safe, legitimate, etc?

Why do you suspect the hashes if all your files are different?
 

Offline jpyeron

  • Contributor
  • Posts: 27
  • Country: us
Re: Rigol software digital signatures and trust worthiness?
« Reply #2 on: Yesterday at 04:36:55 pm »
Ug... they are delivering unsigned installers via HTTP, shame on you Rigol.

Has anyone else verified these files as safe, legitimate, etc?

Why do you suspect the hashes if all your files are different?

I suspect any file that has no documented provenance.  A digital signature is an electronic signature that is used to authenticate the identity of the individual or organization that signed a file (for example a program, a document, etc). The digital signature will also make sure that the original content of the file has not been changed. All I know at this point and time is:

1. "someone" on the internet provided me the above files. Was that someone actually Rigol?
2. Those files require administrative privileges concurrent with network access. Which means they could cause significant damage.

I posted this question to:

1. verify the files I received are the same as Rigol actually intended to provide.
2. After achieving #1, then anyone else searching with the same question for the same answer will see this thread and get the results of #1.

 

Offline rdsi

  • Newbie
  • Posts: 2
  • Country: us
Re: Rigol software digital signatures and trust worthiness?
« Reply #3 on: Yesterday at 11:33:56 pm »

Has anyone else verified these files as safe, legitimate, etc?

https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-07e9/1/-/-/-/-/Ultra%20Sigma_00_01_06_01.zip

I got the following SHA256 hashes:
66854b09414b8cf975b9d0770520f26d063f28eed60790d967c8b36f2d74bffe *Ultra Sigma_00_01_06_01.zip

SHA1 / MD5
148e32c497584f0fac634441a38b59e08cae6082 *Ultra Sigma_00_01_06_01.zip

I got the same hashes as you for this file and had no problems installing/running it.
I also installed another program called "Ultra IQ Station(PC)update_00.02.00.23.zip" without incidence...
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 10927
  • Country: 00
Re: Rigol software digital signatures and trust worthiness?
« Reply #4 on: Today at 05:37:31 am »
I downloaded it from the Rigol site a few years ago and instantly regretted installing it. It's truly awful, one of the worst pieces of software ever written.

If you want to send SCPI commands, use telnet.

If you want remote control, Sigrok (or any of the others...depending on your OS)


 

Online BravoV

  • Super Contributor
  • ***
  • Posts: 6847
  • Country: 00
  • +++ ATH1
Re: Rigol software digital signatures and trust worthiness?
« Reply #5 on: Today at 05:55:59 am »
Hint: When it comes to something new that you can live without, but just curiousity, use VM.
 
The following users thanked this post: Sighound36

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1568
  • Country: pt
Re: Rigol software digital signatures and trust worthiness?
« Reply #6 on: Today at 08:28:09 am »
I suspect any file that has no documented provenance.  A digital signature is an electronic signature that is used to authenticate the identity of the individual or organization that signed a file (for example a program, a document, etc). The digital signature will also make sure that the original content of the file has not been changed. All I know at this point and time is:

1. "someone" on the internet provided me the above files. Was that someone actually Rigol?
2. Those files require administrative privileges concurrent with network access. Which means they could cause significant damage.

1. https://beyondmeasure.rigoltech.com/ is Rigol's domain for the software distribution.
2. You did the download via https.

If you don't trust Rigol's own server what makes you trust Rigol's software contents? A digital signature doesn't validate the good intents of a piece of software.

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf