Firmware Security & integrity request: please add SHA-512 sums/hashes to Peplink website for manual firmware downloads. GPG signatures would be a bonus…

Please add to the Peplink website’s firmware downloads page:

1.) the SHA-512 sums/hashes for each firmware file for routers, access points, etc…
2.) GPG signatures would be a nice bonus

—Purpose (primary):
For users to have the added security-related option of being able to verify that any given manually downloaded firmware file is legitimate and not altered or substituted for by a ‘look alike’ in a man in the middle style attack during the download process over the Internet
Considering that a router’s security in particular is critically important, Peplink customers would have benefit with a relatively high rate of return on what seems would be a relatively low investment of time to post these file hashes.
(at least compared to the time already invested in the development of the security measures engineered into the firmware versions themselves, which I’d imagine is rather complex)
Potentially additionally provided GPG signatures would serve as added layer of security to remove the potential incentive to tamper with the file hash values on the Firmware downloads page on Peplink’s website by bad actors.
(I have every confidence that Peplink’s website is well protected at an industry standard or better level, but since effective security is most effective when multi-layered, GPG signatures would be nice to have as an option too).

—Purpose (secondary):
To be able to verify a firmware is a complete download and/or was not accidentally corrupted in the download process

The websites for Putty and VeraCrypt are good examples of user-friendly implementations of providing file hashes and GPG signatures, and decent tutorials for how to use them if that helps to add here to serve as an example of this overall feature request.

Also, I am willing to volunteer to write an easy to follow Peplink community member-submitted tutorial with screenshots in Windows, macOS, and Ubuntu for any users who may not be already familiar with how to use the file hashes (and/or GPG signatures if that you decide to additionally provide these as well since this process is less widely familiar…).

(I assume that some sort of file hash verification l is performed when firmware is updated directly from any given router’s or AP’s management webpage, or when a firmware update command is pushed from the InControl…is this correct?)

@Michael234 curious if you have any thoughts on this topic?

Thank you for consideration of this feature request!



I’d like this also.

With respect, most companies that make and sell enterprise networking products provide these SHA512 sums for their products’ firmware when customers manually download them…would it be possible to revisit this request or have some sort of response, please?

Also, when firmware is installed via InControl, I’m assuming that the router performs a SHA512 check (along with security certificate-based checks)…. Is this correct?

Thank you


I more often see md5sum than sha512sum for this purpose, but agree either would be beneficial.