Different-changed files in same ver. ROS 7.10.1

RouterOS Beginner Basics
1

There were some changes in ROS 7.10.1 several files

E.g. netinstall64.exe in netinstall64-7.10.1.zip:
ORIG netinstall64.exe 44 599 640 27/06/2023 09:46:38 ----
NEW netinstall64.exe 44 602 192 06/07/2023 09:05:16 ----

Were these and why unannounced or did I missed something somewhere?

Later change logs and also forum still reads: What’s new in 7.10.1 (2023-Jun-27 12:03):
I would expect at least some notice about that happened and why.

Or should I expect you use CI/CD automated pipes and while under attack the malware found its way into the files?
Well, hope not, but such discrepancies of changes should be covered at least by some note in the forum.

And also why no official checksums provided for EXE files or I am unable to find them?

Apology for posting here as for unknown reason I cannot (not allowed) to post into 7.10 thread.

Regards

2

What’s the use of checksum, if all files are digitally signed?

Simply MikroTik re-signed some files, even previous versions, because the previous certificate expired on May 10th (and for some time they didn’t realize it).


-----BEGIN CERTIFICATE-----
MIIHljCCBX6gAwIBAgIQDvsXSqHvWfDl0pDSnCVWGjANBgkqhkiG9w0BAQsFADBp
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
IDIwMjEgQ0ExMB4XDTIzMDcwMzAwMDAwMFoXDTI2MDcwNDIzNTk1OVowgZ4xEzAR
BgsrBgEEAYI3PAIBAxMCTFYxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9u
MRQwEgYDVQQFEws0MDAwMzI4Njc5OTELMAkGA1UEBhMCTFYxDTALBgNVBAcTBFJp
Z2ExGjAYBgNVBAoMEVNJQSAiTWlrcm90xKtrbHMiMRowGAYDVQQDDBFTSUEgIk1p
a3JvdMSra2xzIjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANKYJQwo
EBV20r4G2BlFdxoXQj/js+xlL1ogmapqWa/k78Wyytdql9Aia0VZWDtXpqavDaPh
zxWX18nhmasXX3xZqx7yqJ3H0vMaLHTV/gH09+7gi5RqXlYmtDoR/OqdebGCJot0
XBvSGExxxWhPIutPKw1RYjKDiJMkS+maPMdgkT5QSjyBfyUSwAQDlRUThpofL2Nw
1bzbycGmOtZfo9qXSiEVgty7GiCKu9bw9dIq0SR1j3ao/u0ovmv1pLogkziakFkx
3i43EuiFnq6/VlR6gh4gy855Ki+J9qUnj5qyTRcSQeuLbISqe5Pl3t3GQaM3yJIW
JRck42LqWg69gW4maHekI3VBDr3UPNGFX1i9f4Q4wiXu66RfXWcFv3M65mSfsD2x
J1rAYIx9vP22WhDZfKzy+GaOs3PEHfDuW+c253rRokDBe0C6EMWRMp1qyIcOeYJq
TLjds8mSGy6KhhC/Ssk6Euj3GMR1trxKU0Y1xhSLEBslg1sTqD1o16Qc78yyPZoc
uucZd8nzzX6MKZLGNkS0NrLqo8Z4VGC3ShUJV0ukDIHvB+kQgXTTMsB/okSIVxn+
9xXtmzRjx7VS74uWSsvoTtbKn60bJs9F7hAAcNf0mw49/yeDEFUiW/jwt/A6RCpF
NB11DVk5A+LHZ8MX81sgtMf5R+Kk1M2daiv5AgMBAAGjggICMIIB/jAfBgNVHSME
GDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUDbYTjYj8dOs54RRK
RAdxZwZv0x8wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1
BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3Js
MFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVk
RzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA9BgNVHSAENjA0
MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29t
L0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0
MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAh45ZqzsG
cjGZpAzJoMij0oREl/HikaMnlDJiHQBONXZIMJ/ehWuBCMcJ99aI7b1ojnN6KtFZ
G29NJCR8HPyxVkkpOwiobGix5oL6EZEP3y04dmPr63B6F11fT82ceDVhHYtAE6Zs
Mme18wj6EMyvDppox4IWgxMRWpMVAdAC5DofXRO3VlQDhCJP73omgURxDRQ1LjHY
ryBCpECnzJnpQWBoaUf4K5hKTosIqPT980f4RPg+5/GyFLxbrc4L3eN/cv8j7w5q
mfATyjSzi7zfmZw9PoCZf0UCKuKUBh/wvmYoP5F9RMCiW4tw+7O7OOH/g8o2rEre
ChqU1ZhmqgPJKnBxqopZ/3ChDvt6qp8Hcr6/nfofEw8y/3zzO4wiLOUQGz9NtiB3
BkcdkQXInd+qBR7NlOYHDemyynOhtKpqj7KnKS6cq5MjXrJFodg4SJLyJkArPkA2
XpkKs6Adtat6Xv/kyZKoS0XscFIXKssaN0uGvLEhacqFHh2X7aEz7jJ7+Papgfuo
fysadTPtXIIcrWXSo5tNTfXzJXwXAwVULb52q5T6TXpQcOkuvAJE4LGVDhiSY7t4
Er5NOCWZxsFaV0XEfjMOadyWM3RayF420hGSvfFUU+AboGMSFIFr2n+GtFay1HAa
tvsrU4yUWHeWU08jeajrycOnZnRUexfTMOs=
-----END CERTIFICATE-----

3

Thanks for the explanation.

Well, in such case I really would appreciate some words about it from MKTK
– on forum
– on download page

E.g.
- NOTICE: We have some of our EXE files re-signed due to the certificate expiration, so expect they are now not binary same, even the version is unchanged.

I think it would be helpful to find this info in:

1/ Dedicated general announcement on forum with explanation and description

2/ Everywhere where are binaries changed – in dedicated threads for each branch and program.

3/ BOLD NOTICE on download pages

And finally - although I am freshly registered forum user,
I read the forum long time, including yours valuable posts.
So thank you not only for this one. :slight_smile:

4

Very… Thanks! :smiley:



Some things they don’t write… I wonder why… :wink:

5

Things are little bit worse, so in detail below.

***/ NOT ALL are digi signed correctly or at least they appear to be so.
Example below (on the end of this post) for current downloads.

***/ Regarding checksums -- valuable (IF CORRECT) in multiple file transfer and
batch platform independent automation check whether all files are unchanged by the transfers.

***/ BTW dude has offered its checksums for its EXE files <dude-install-#####.exe>
even though the are digitally signed correctly with valid cert.
BUT (actually BIG BUT) although the <dude-install-7.11beta4.exe> has correct sha256 on download page,
the file dude-install-7.10.1.exe has wrong sha256 stated on the download page (it is the sha256 of the old file with wrong digi cert).

OLD ver <dude-install-7.10.1.exe> SHA256: a22cd6b3d7ccc6568a19b54fbaf33f4fb228b328d7a9e346c18a269a1e60d0f3
NEW ver <dude-install-7.10.1.exe> SHA256: d3cdb9d7cfdede737ad7f8fcd00cac54e116e503662177c17d624fc8e5636f66

Regarding NOT ALL digi signed correctly -- examples below for current downloads.

MS Win 10.0.19045.3086
sigcheck -s -e -u -c .

Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

Publisher, Date, Verified, Path
Mikrotikls SIA, 23.05.2023 07:57, EXPIRED, .\routeros\6.48.7\btest.exe
Mikrotikls SIA, 05.01.2012 20:21, EXPIRED, .\routeros\6.48.7\dude-install-6.48.7.exe
Mikrotikls SIA, 23.05.2023 07:57, EXPIRED, .\routeros\6.48.7\flashfig.exe
Mikrotikls SIA, 23.05.2023 07:56, EXPIRED, .\routeros\6.48.7\unpacked\netinstall.exe
Mikrotikls SIA, 01.01.1970 02:00, EXPIRED, .\routeros\6.48.7\unpacked\netinstall64.exe
Mikrotikls SIA, 22.05.2023 15:44, EXPIRED, .\routeros\6.49.8\btest.exe
Mikrotikls SIA, 05.01.2012 20:21, EXPIRED, .\routeros\6.49.8\dude-install-6.49.8.exe
Mikrotikls SIA, 22.05.2023 15:45, EXPIRED, .\routeros\6.49.8\flashfig.exe
Mikrotikls SIA, 22.05.2023 15:44, EXPIRED, .\routeros\6.49.8\unpacked\netinstall.exe
Mikrotikls SIA, 01.01.1970 02:00, EXPIRED, .\routeros\6.49.8\unpacked\netinstall64.exe

EXPIRED = A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file

=== Conclusion - another reason to think that it would be helpful to have announcements for such events.

EDIT: formatting changed to not appear as an alert and appear more as an info

6

A file signed in the past, with a certificate that was valid at the time, but has now expired, does not mean that the file is corrupted or that the signature is forged…

You are creating Alerts for nothing…

7

It is rather INFO for DOCUMENTING THE SITUATION with files.
(Sometimes it is helpful to have info about what one should expect to see)

Many thanks to Mikrotik for all their hard work and great products.

8

The only problem with replacing files is the invalid checksums published on web page.

I never care if files on official download page change … as long as published checksum matches the file downloaded at the same moment. And I don’t know why shoudl anybody care if files actually change. Do you routinely download files and binary check them if they change? I don’t. And hence I don’t see a point in MT to publish info about replacing download files, specially so if actual contents doesn’t change.