Does ST publish hashes for Cube IDE install packages?

PHolt.1 · ‎2024-07-13

Does ST publish hashes for its install packages, enabling one to check whether an archived (say) Cube IDE 1.14.1 has been corrupted?

The reason for asking is that I am developing a product for a customer and may have to send him a version which is no longer on the ST website, and he is likely to have trust issues with that.

Tesla DeLorean · ‎2024-07-13

Well the mechanics for the update process does have separate files with signing/hash mechanics. I'm not sure they are presented in a public fashion, or retrospective.

Personally I'd perhaps like to see ECDSA, and a public key from ST Micro.

The main page does offer older versions, via "Select Version" I see 1.14.0 for Linux, perhaps that can upgrade / patch itself. And 1.14.0 and 1.14.1 for Windows

https://www.st.com/en/development-tools/stm32cubeide.html

https://www.st.com/content/ccc/resource/technical/software/sw_development_suite/group0/fc/5f/56/08/fc/9b/42/a9/stm32cubeide-win/files/st-stm32cubeide_1.14.1_20064_20240111_1413_x86_64.exe.zip/jcr:content/translations/en.st-stm32cubeide_1.14.1_20064_20240111_1413_x86_64.exe.zip

@STOne-32 @STTwo-32 package hashes?

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

Pavel A. · ‎2024-07-13

Full installers (.exe files) for Windows are signed and Windows itself can verify the signature:

So this is all the user wants or needs.

OS/X packages have similar signatures. Linux - not sure.

PHolt.1 · ‎2024-07-13

Thank you Pavel. I guess that is sufficient.

Unfortunately the x.x.0 versions are usually not usable - e.g. 1.15.0 breaks the debugger and other stuff, but ST are keeping only these x.x.0 versions on their website, and only for a while. So I would have to archive the one I want to keep, and rely on the signature.