To: flashrom@flashrom.org

Hello, everyone!

Here's a suggestion for a way to make flashrom easier to use: Please include simple and explicit instructions on how to verify and authenticate a download of flashrom.

Linux Mint's installation instructions are an excellent example of clear instructions that non-technical users can follow easily. Linux Mint provides these steps:

1. Download the operating system (which is a ".iso" file), the sha256sum checksum (in a file named "sha256sum.txt"), and the Linux Mint digital signature/key (in a file named "sha256sum.txt.gpg"). All three files are available from the single download page.

2. Put the three files in the same folder in computer memory.

3. In a terminal screen, run "sha256sum *.iso".

4. Compare the result of the hash function in step 3 with the contents of the file named "sha256sum.txt". If they match, the iso has no errors.

5. Import the Linux Mint signing key by running this command in the terminal screen: "gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key"27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09".

6. In a terminal screen, run "gpg --verify sha256sum.txt.gpg sha256sum.txt". The results will say whether the source of the download is legitimate.

The Linux Mint page is at:

https://linux-mint-installation-guide.readthedocs.io/en/latest/verify.html


The flashrom download page does not provide the sha256sum output. (I could not find it.) I ran "sha256sum flashrom" in a Linux terminal screen and used Google to search for the outcome and for more information. The Google search for the sha256sum (that I computed) returned seventeen hits. None of the hits was from an official flashrom.org man page. Most of them seem to be conversation between developers, not information for end-users. The "launchpad" webpage in the Google hits is from Ubuntu, but it has this note at the top: "flashrom (1.2-1) unstable; urgency=medium". That note suggests that the version of flashrom with the checksum "e1f8d..." is unstable and should not be used; at the least, it requires user care to install v. 1.2, not v. 1.2-1.

The flashrom download page provides the "GPG signature" and a 40-digit hexadecimal number ("584A...") that seems to be related to the gpg signature, but neither one is in a readily usable form, and the correct instruction - with the correct syntax - to use them is not presented. (I read dozens of articles on "gpg" but did not find the necessary command to use. Like many people who need to use flashrom, I am not a computer code writer, so I need your help to get the command and syntax right.)

Although I could download flashrom by using the Linux Mint Package Manager and then have reasonable confidence that the source of the file is legitimate, I would still need to confirm the sha256sum to be sure that the downloaded copy of the file is 100% correct.

The final and reliable checksum should be posted on the manual's download page (along with instructions for signature verification) so that users won't need to search for the checksum and so that users can be certain that they have the right checksum and a reliable copy of flashrom.

A defective operating system will cause problems, but it won't turn a computer into a brick. One mistake in the ROM could make the computer useless, so checking integrity and authenticity is a critical task.

I sincerely appreciate all of the work that the flashrom team has put into a very worthwhile project, and I hope that these suggestions will make flashrom useful to many more people.
 - Joe