I downloaded the .msi installer file for Calibre 2.52.0 for win32 (running Vista).
This file from the primary download link contains a digital signature (as all proper software should these days), but the signature does not validate.
I tried downloading the same .msi from the alternate download links, and these also have invalid digital signatures. However, each of these three alternatives give the same message digest hash when I manually compute one, so they are each confirmed to be the same file.
The file offered on fosshub came in a list which offered a link to see the file's hash, but no hash value was ever actually presented for any of the calibre files there (also there is the related problem of whether such a hash, if it was presented, was just the hash of the file as ingested into fosshub's system, or the intended official hash value of the software as officially published).
In this new era of ever-clever malware and ransomware, users need to be especially careful about the software they download to run on their computers. Ensuring you've received an unmodified and valid copy as the publisher intended, through the use of officially posted hash values and/or platform-specific digital signatures is one good way of accomplishing this.
I imagine the software packaged in the 2.52.0.msi file for win32 system is probably okay, otherwise I'm sure there would be other reports here and elsewhere about it, just the same I request/require either a valid signed installer or an officially published hash value for comparison before I will agree to make use of this version.
For comparison, the last time I updated was back at 2.40.0, and my archive of the .msi file for that version contains a proper and validated digital signature.
I tried downloading older versions and stopped after 2.48.0.msi. All of these had invalid digital signatures. I haven't checked any further back.
Please forward this or direct me to the most appropriate place to lodge this notice, if a better one than here exists. Thanks!
This file from the primary download link contains a digital signature (as all proper software should these days), but the signature does not validate.
I tried downloading the same .msi from the alternate download links, and these also have invalid digital signatures. However, each of these three alternatives give the same message digest hash when I manually compute one, so they are each confirmed to be the same file.
The file offered on fosshub came in a list which offered a link to see the file's hash, but no hash value was ever actually presented for any of the calibre files there (also there is the related problem of whether such a hash, if it was presented, was just the hash of the file as ingested into fosshub's system, or the intended official hash value of the software as officially published).
In this new era of ever-clever malware and ransomware, users need to be especially careful about the software they download to run on their computers. Ensuring you've received an unmodified and valid copy as the publisher intended, through the use of officially posted hash values and/or platform-specific digital signatures is one good way of accomplishing this.
I imagine the software packaged in the 2.52.0.msi file for win32 system is probably okay, otherwise I'm sure there would be other reports here and elsewhere about it, just the same I request/require either a valid signed installer or an officially published hash value for comparison before I will agree to make use of this version.
For comparison, the last time I updated was back at 2.40.0, and my archive of the .msi file for that version contains a proper and validated digital signature.
I tried downloading older versions and stopped after 2.48.0.msi. All of these had invalid digital signatures. I haven't checked any further back.
Please forward this or direct me to the most appropriate place to lodge this notice, if a better one than here exists. Thanks!