verify ROM validity

[eleVator]

Hi, which ways do we have to verify the Merlin ROM's authenticity? I only see the sha256 file inside the file i want to actually verify. Please advice how to proceed

 

[LudoK]

If you are worried that your archive may be corrupted, the SHA256 signatures are also on the download page: https://asuswrt.lostrealm.ca/download
Then, to verify the signature, you can use HashMyfiles: https://www.nirsoft.net/utils/hash_my_files.html

 

[eleVator]

I should have mentioned the developer site, i was rather worried about the validity that the ROM an that it is actually from the Developer and was looking for gpg signatures.

 

[RMerlin]

I don`t use GPG signatures. However I publish the SHA256 on a completely different server, so anyone wanting to hack a firmware and forge the SHA256 would have to hack multiple different servers.

 

[eleVator]

Yes i have been using your website Eric, and trusting the sha256sum so far, i thought i create an account here and maybe stop wondering what the reason would be not to use GPG so that we can have additional trust layer that it is actually you.

 

[RMerlin]

what the reason would be not to use GPG so that we can have additional trust layer that it is actually you.

Too much extra work for something that 0.005% of users would use.