[FEEDBACK] Having a place to verify the signature and certificate of VCC would be nice.
interested
Synergiance
Even though there is a proper
place
to download the VCC installer, it doesn't guarantee that it's not getting intercepted, or worse, compromised as in hacked. A user will not be able to tell if the download was tampered with, if they cannot verify the certificate anywhere.Log In
sync1211
Wouldn't it be enough to put a hash of the installer on the download site?
IMO verifying the integrity / signature via a public key (à la TailsOS) would be overkill for VCC.
PS: The current sha256 hash for VRChat_CreatorCompanion_Setup_2.1.6.exe would be: c21ecb446275f06e71321b0617a4569f0c6be8fe47bda44295ca5f29312089e8
Synergiance
sync1211: I don't see how it would be overkill. Fetching anything from a remote server, even a trusted one, inherently comes with some risks. Seeing as assets downloaded through VCC run unchecked through the unity editor, and could easily contain a hostile payload, it's generally not a good idea to skimp on security, especially when it's on behalf of potentially thousands of people.
sync1211
Synergiance You're right, but it's important to consider possible attack vectors and their practicality.
Assets downloaded through VCC are downloaded from a repository and not contained within VCC itself.
It would be easier for an attacker to serve a hostile payload via a custom repository than via a modified version of VCC.
As both vrchat.com and most of the repositories use HTTPS, the identity of the server is already verified and the files are encrypted in transit which prevents tampering.
So an attacker would have to be in control of the repository or download server to inject malware via VCC.
(That is, however, if vrchat.net and the official repos are considered to be secure.)
IMO the focus should be on expanding the list of curated packages to reduce the need of third party repositories.
Momo the Monster
interested
Agreed!