Hash algorithms used by APT to verify authenticity of installed files.

To: debian-security@lists.debian.org
Subject: Hash algorithms used by APT to verify authenticity of installed files.
From: Quequanys <Quequanys@interia.pl>
Date: Sat, 23 Apr 2011 12:04:33 +0200
Message-id: <[🔎] pknyoljrojbvamdyedsp@dgdz>

Hi

Release files contain MD5, SHA1, and SHA256 

hashes. Same with Packages, Packages.gz and 

Packages.bz2.

I would like to know what hash algo is used by APT 

to verify authenticity of downloaded files when 

issuing "aptitude update" or "apt-get update" and 

when instaling packages and security fixes.

Does it fallback to weaker algorithm, if the hash 

made with stronger one is not avaible? Is there a 

way to force APT to use only selected algorithms 

so APT only accepts files verified by choosen 

algorithms, and  rejects files when required 

hashes are unavaible?

Could you point me to specific portions of 

documentation that covers this issue? Man pages of 

apt and apt-secure , dont mention it (at least in 

case of lenny), and I didnt have luck in finding 

the answer in other places.

Thanks in advance for help.

------------------------------------------------------------
Zaloguj się i zagraj w najlepsze gry!
Sprawdz >> http://linkint.pl/f2988

Reply to:

Follow-Ups:
- Re: Hash algorithms used by APT to verify authenticity of installed files.
  - From: Gian Piero Carrubba <gpiero@rm-rf.it>

Prev by Date: Re: CVE-2010-3847 fixed or not?
Next by Date: Re: Hash algorithms used by APT to verify authenticity of installed files.
Previous by thread: Re: [SECURITY] [DSA 2216-1] isc-dhcp security update
Next by thread: Re: Hash algorithms used by APT to verify authenticity of installed files.
Index(es):
- Date
- Thread