Please add to the Peplink website’s firmware downloads page:
1.) the SHA-512 sums/hashes for each firmware file for routers, access points, etc…
2.) GPG signatures would be a nice bonus
—Purpose (primary):
For users to have the added security-related option of being able to verify that any given manually downloaded firmware file is legitimate and not altered or substituted for by a ‘look alike’ in a man in the middle style attack during the download process over the Internet
Considering that a router’s security in particular is critically important, Peplink customers would have benefit with a relatively high rate of return on what seems would be a relatively low investment of time to post these file hashes.
(at least compared to the time already invested in the development of the security measures engineered into the firmware versions themselves, which I’d imagine is rather complex)
Potentially additionally provided GPG signatures would serve as added layer of security to remove the potential incentive to tamper with the file hash values on the Firmware downloads page on Peplink’s website by bad actors.
(I have every confidence that Peplink’s website is well protected at an industry standard or better level, but since effective security is most effective when multi-layered, GPG signatures would be nice to have as an option too).
—Purpose (secondary):
To be able to verify a firmware is a complete download and/or was not accidentally corrupted in the download process
—Examples:
The websites for Putty and VeraCrypt are good examples of user-friendly implementations of providing file hashes and GPG signatures, and decent tutorials for how to use them if that helps to add here to serve as an example of this overall feature request.
—Tutorials:
Also, I am willing to volunteer to write an easy to follow Peplink community member-submitted tutorial with screenshots in Windows, macOS, and Ubuntu for any users who may not be already familiar with how to use the file hashes (and/or GPG signatures if that you decide to additionally provide these as well since this process is less widely familiar…).
—Question:
(I assume that some sort of file hash verification l is performed when firmware is updated directly from any given router’s or AP’s management webpage, or when a firmware update command is pushed from the InControl…is this correct?)
@Michael234 curious if you have any thoughts on this topic?
Thank you for consideration of this feature request!