Info from veeery long ago because I have been out of this stuff for over a decade:
The release will have an .sfv file with a CRC32 checksum for each rar file.
The FTP server checks them after the upload completes. Back in the day glftpd with zipscript was a very popular tool to manage an FTP site. This Readme sums it up well: https://github.com/pzs-ng/pzs-ng
The sfv can be tampered with but the propagation of releases to FTPs happens very fast, within minutes. It would take you longer to meaningfully alter it than it takes the racers to distribute the original files. And once the release is completely uploaded you can't modify the files anymore.
If the release is bad, for example if it doesn't work at all or if it contains a virus, then it simply gets nuked. This propagates within minutes.
That's the whole problem. There's no way to verify the authenticity of a release aside from "getting it from a trusted source" or whatever, whereas digital signatures would easily solve this issue.
Info from veeery long ago because I have been out of this stuff for over a decade:
The release will have an .sfv file with a CRC32 checksum for each rar file.
The FTP server checks them after the upload completes. Back in the day glftpd with zipscript was a very popular tool to manage an FTP site. This Readme sums it up well: https://github.com/pzs-ng/pzs-ng
The sfv can be tampered with but the propagation of releases to FTPs happens very fast, within minutes. It would take you longer to meaningfully alter it than it takes the racers to distribute the original files. And once the release is completely uploaded you can't modify the files anymore.
If the release is bad, for example if it doesn't work at all or if it contains a virus, then it simply gets nuked. This propagates within minutes.
Relying on CRC32 for integrity under hostile circumstances feels deeply flawed.
A) there is no real scene any more
B) no one is getting “proper scene releases” from “proper sources” any more.
It's not a scene release. You know a release isn't tainted when you grab it from the source...
That's the whole problem. There's no way to verify the authenticity of a release aside from "getting it from a trusted source" or whatever, whereas digital signatures would easily solve this issue.