Display MD5 / SHA256 Hashes on website

[Raydude]

Hey AHK!

I'm a systems admin for a mid-size company. Some of our developers like to use AHK (for good reason), but as you know, AV companies love to flag AHK. Part of the security struggle that I face in maintaining the freedom of my users to enjoy AHK is verifying that the quarantined AHK file hash matches the hash of the actual AHK release (to ensure that it's not malware pretending to be AHK). Right now, I have to install the latest release to a test machine and get the hash that way to compare it to the quarantined file before I release it.

Could AHK please streamline the verification process by publishing the MD5 / SHA256 hashes next to the download (on the webpage) or as a part of the downloaded package? Doing so could only help your project's adoption in corporate environments and I'm surprised that you don't already display it, given how often you've had to fight with AV companies mistaking your tool for malware.

[Raydude]

Edit: I neglected to mention the specific files that get flagged. It's probably impractical to hash and display everything, but we often see Ahk2Exe.exe getting detected and quarantined. Maybe you could have hashes published on their own minimalist page that is subtly hyperlinked below the download button.

[lexikos]

SHA256 hashes are published in the forum announcement topic and uploaded alongside each package. They can be found in the download index:
https://www.autohotkey.com/download/1.1/
https://www.autohotkey.com/download/2.0/

Hashes are provided for both the zip and exe packages. There is no need to hash individual files within the package, because a packaged with altered content would have a different hash.

I include Ahk2Exe in v1 releases, but I do not expect there to be many more v1 releases. @TAC109 publishes standalone Ahk2Exe releases on GitHub.