Re: Hash algorithms used by APT to verify authenticity of installed files.

[Gian Piero Carrubba <gpiero@rm-rf.it>]

* [Fri, Apr 29, 2011 at 07:57:28PM +0200] Tomasz Wozowicz:
> "ForceHash "sha256"; // hashmethod used for expected hash: sha256,
> sha1 or md5sum"
>
> It doesnt say what  will happen if the expected hash is unavaible-
> maybe it will just use weaker hash as fallback?

No. After all, it's named "ForceHash" not "PreferHash". :)

> I think that issues regarding security should be descriped clearly and 
> exhaustively. Many people like me are not coders and dont understand 
> source code :(

I'm neither a coder, anyway the source seems pretty clear so I think 
it's worth reading if you care enough.

In apt-pkg/acquire-item.cc:1683 you can find the following lines:

   if (ForceHash.empty() == false)
   {
     if(stringcasecmp(ForceHash, "sha256") == 0)
       ExpectedHash = HashString("SHA256", Parse.SHA256Hash());
     else if (stringcasecmp(ForceHash, "sha1") == 0)
       ExpectedHash = HashString("SHA1", Parse.SHA1Hash());
     else
       ExpectedHash = HashString("MD5Sum", Parse.MD5Hash());
   }
   else
   {
     string Hash;
     if ((Hash = Parse.SHA256Hash()).empty() == false)
       ExpectedHash = HashString("SHA256", Hash);
     else if ((Hash = Parse.SHA1Hash()).empty() == false)
       ExpectedHash = HashString("SHA1", Hash);
     else
       ExpectedHash = HashString("MD5Sum", Parse.MD5Hash());
   }

that - apart from bugs or further manipulations of the involved variables (to
be honest I haven't investigated further) - should answer your questions.

Ciao,
Gian Piero.