[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Patch for the CD FAQ

On Thursday 15 December 2011 11:06:09 George Danchev wrote:
> On Wednesday 14 December 2011 13:33:37 Steve McIntyre wrote:
> > Hey folks,
> > 
> > I've got a patch from George and Thomas that they've been pestering me
> > to do something with for a while. I've made minor tweaks and added
> > some extra stuff. Please review/commit.
> Hey guys,
> Here is another patch to the CD FAQ which corrects the information about
> the verfication of the written media as given at [1]. It explains the
> problem of reading surplus amount of bytes from the written media, and how
> to properly deal with it. It also removes the link to an outdated and
> unmaintained checkiso script, suggesting another one instead. Comments and
> review welcome.
> [1] http://www.debian.org/CD/faq/#verify


The patch is improved a bit [1]. The diff with the previous version is that it 
now suggests that the media size could be deduced from the already burnt media 

Basically, the idea is that after having cryptographically verified the signed 
checksum file(s), we can safely compare these checksums to the ones calculated 
from the media itself, by reading the appropriate amount of bytes from it, 
which is the whole hassle around it.

Method 1
$ /sbin/isosize -x <device>
       sector count: 25600, sector size: 2048

$ dd if=<device> count=<sector count> bs=<sector size> | checksum_tool

Method 2
$ check_debian_iso  checksum_file <item>  <media_device>

(URL to the check_debian_iso_ script in the patch proper;
usage help is in the script proper:)

IOW, to completely verify already burnt optcal media, it is sufficient to:
* find the correct signed checksum file, and verify it of course.
* know the claimed burnt image name (Debian $version, media NNN)
(without the ISO image file itself)
* and to have the burnt optical media itself, at hand.

[1] attached is an improved version: verify-faq.2.diff.

pub 4096R/0E4BD0AB <people.fccf.net/danchev/key pgp.mit.edu>
? index.en.html
Index: index.wml
RCS file: /cvs/webwml/webwml/english/CD/faq/index.wml,v
retrieving revision 1.101
diff -u -r1.101 index.wml
--- index.wml	14 Dec 2011 16:49:30 -0000	1.101
+++ index.wml	17 Dec 2011 14:48:46 -0000
@@ -436,21 +436,59 @@
 <toc-add-entry name="verify">How can I verify that the downloaded
 CD images are correct?</toc-add-entry>
+<p>Detailed information how to authenticate the ISO image files
+via cryptographically signed checksum files is available
+on the <a href="../verify">authenticity verification page</a>.
+<p>Having the checksum files cryptographically verified we can
+also verify already written optical media, even it has been written
+by someone else.
-Detailed information is available on the <a
-href="../verify">authenticity verification page</a>.
+The problem with the verification of the written optical media is,
+that some of them will possibly deliver more bytes than those found in
+the ISO image. The trailing garbage is impossible to avoid with CD
+written in TAO mode, incremental recorded DVD-R[W], formatted DVD-RW,
+DVD+RW, BD-RE, and also with USB keys. Therefore we need to read exactly
+that many sectors of bytes from the media as they are found in the ISO
+image itself, since reading any more bytes from the media would alter
+the checksum result.
+<p>Using the <q>isosize</q> program from the <q>util-linux</q> package:
+<li>Finding out the <q>sector count</q> and the <q>sector size</q> from the optical media:
+  <pre>
+  $ /sbin/isosize -x &lt;device&gt;
+       sector count: 25600, sector size: 2048
+  </pre>
+  Where &lt;device&gt; is the device file where the optical media is loaded.
+<li>Reading back the appropriate stream of bytes from the optical media:
+  <pre>
+  $ dd if=&lt;device&gt; count=&lt;sector count&gt; bs=&lt;sector size&gt; | checksum_tool
+  </pre>
+  The byte stream is piped to the appropriate checksum tool (md5sum,
+  sha1sum, etc) and the computed checksum is to be compared with that found
+  in the appropriate and already verified checksum file (MD5SUMS, SHA1SUMS, etc).
+<p>Alternatively, there is an exhaustive, but easy to use, script called
+<a href="http://people.debian.org/~danchev/debian-iso/check_debian_iso";>
+check_debian_iso</a> which can verify the written media reading the
+appropriate amount of bytes from it, computing the checksum and
+comparing it against a checksum found in an already trusted checksum file.
-<p>An <tt>md5sum</tt> program for Windows systems is available
-as part of the <a href="http://www.cygwin.com";>Cygwin suite</a>
-(install the <q>coreutils</q> package), or you may be able to find standalone
-binaries compiled for <a href="http://www.mingw.org/";>MinGW</a>.</p>
-<p>If you want to check many CD image files or burned CDs easily
-on Unix/Linux systems, the
-<a href="http://fly.cnuce.cnr.it/software/#checkiso";>checkiso</a>
+#<p>If you want to check many CD image files or burned CDs easily
+#on Unix/Linux systems, the
+#<a href="http://fly.cnuce.cnr.it/software/#checkiso";>checkiso</a>
 #<a href="ftp://fly.cnuce.cnr.it/pub/software/unix/checkiso";>checkiso</a>
-script can be a great help.</p>
+#script can be a great help.</p>
 # ============================================================

Reply to: