Both build scripts (install-openssl_3.sh and install-openssl_1.1.1.sh) now include automatic SHA256 checksum verification:
- The script downloads the OpenSSL source archive
- It also downloads the corresponding
.sha256file from the official OpenSSL website - The checksum is verified before proceeding with the build
- If verification fails, the script exits with an error
This ensures that the downloaded files are authentic and haven't been corrupted or tampered with.
- The scripts only download from the official OpenSSL website (https://www.openssl.org/source/)
- HTTPS is used for all downloads to prevent man-in-the-middle attacks
- SHA256 verification provides strong cryptographic verification
- Scripts use
set -euo pipefailto ensure they fail fast on any error
If you discover a security issue in this project, please report it to the project maintainer at:
- Always verify the GPG signature of downloaded packages when available
- Consider building in a clean, isolated environment (chroot or container)
- Review the build configuration options before compiling
- Keep your build system updated with the latest security patches