How do I verify the authenticity of the SHA-256 checksum file for JetBrains products on Linux?

Hi. Just append .sha256 to the download link (e.g. https://download.jetbrains.com/idea/ideaIC-2020.2.2.tar.gz.sha256); the links could be found on the "Other versions" page (https://www.jetbrains.com/idea/download/other.html).

Hi,

I am NOT looking for the SHA-256 checksum file to verify the integrity of the download. I want to know if there is a way to verify the authenticity of the checksum file.

If I downloaded e.g. ubuntu I would have to download a checksum file and a signature (see link below).

https://ubuntu.com/tutorials/how-to-verify-ubuntu 

Regards,

Hi. We have no plans to provide .gpg verification, HTTPS must be enough to protect from spoofing in such case.

How does HTTPS protect the SHA-256 checksum file from being spoofed? There is no way of knowing that it was published by JetBrains, because there is no way of proving that it was singed by JetBrains.

What would happen if the download server was hacked and the (.tar.gz) download and the checksum file were altered?

The idea of someone hacking our download server from outside sounds unrealistic. The spoofing attack is a much more probable thing to happen, but it is covered by HTTPS.

What do you mean it sounds unrealistic? A well known Linux distro had their servers hacked a few years ago, and the download and checksum file were altered.

Why can't JetBrains publish signatures to verify the authenticity of their downloads and checksum files?

I am familiar with the case you are referring to. As far as I know, they have used an outdated version of a rather insecure content management system to host their forum and download page, no wonder it was hacked. In JetBrains we pay much more attention to our server security, I don't think it is possible to hack it from outside.  If you believe this should be addressed, feel free to raise a feature request at https://youtrack.jetbrains.com/issues.

In my opinion, this point of view is straight disgraceful for Jetbrains! Thinking of themself as inpenetrable and therefore refusing more but 1 single layer of defense clearly shows a poor understanding of security. Refusing to offer gpg signatures, which is a well known layer of security, is endangering your customers ,robbing them from a chance to proper protect themselves and renders them incapable to offer high security products to there customers.

I was about to recommend this software suit to the company I am working for but after reading this I do not think you meat our security expectations.

I actually have the case where the SHA256 does NOT match the file I downloaded, twice. I am certain I am not making an error wrt to any of the 1) IJ I downloaded 2) SHA256 number I captured or 3) use of the  shas256sum tool.  

So my question now is what am I supposed to do? 

Thank you. 

java developer Please provide more details. Which specific file did you download? What's the actual SHA256 for this file and what's the one in the linked sha file?

java developer  Jasonhughes Philipp Hufnagl   …i love pycharm, but this flippant attitude and poor treatment by Mr. Petr Rastegaev is appalling. The lack of customer-needs empathy, and the simple inability to admit the truth--that he has no idea, nor influence/feedback loop to Jetbrain's inner sanctum is telling. Pycharm is hacked more than any other app i use--most often if i haven't updated it and a release is out that day, These are actors playing a collaborative part in selling and maintaining an insecure app and its distribution. I loved pycharm, but I cannot…how is rastegaev any different from a hacker? what problem did he solve? (or create?). Very best gentlemen. -vendor agnostic

Hi,

the current checksum on your site for ideaIU-2025.1.tar.gz is wrong/hacked?.

I checked it with different systems (Linux/Windows) and different programs.

Though I cant't use this version currently. Please kindly fix.