On Tue, Jun 26, 2018 at 12:00 AM, degski via Boost-users <boost-users@lists.boost.org> wrote:

On 26 June 2018 at 01:05, Tom Kent via Boost-users <boost-users@lists.boost.org> wrote:
Please don't take it on trust. If you get a warning for the binaries, check the hashes, then check the signature on the hashes!

I don't think that hacker would be smart enough to change the boost code, hack into the web-site and replace the binary, while at the same time being so stupid as not to change the hashes as well. The hashes serve to verify that your download was correct, it's not a security.

The hashes (for the binaries) are signed with a PGP key as they are packaged up for each release. I agree it would be easy to change the hash in the SHA256SUMS. However, it would be impossible to create a copy of the SHA256SUMS.asc file that can be verified with GPG/PGP without hacking the private key that signs that file. This is a *much* higher bar, and does provide security.

Tom