Re: Hash algorithms used by APT to verify authenticity of installed files.

To: debian-security@lists.debian.org
Subject: Re: Hash algorithms used by APT to verify authenticity of installed files.
From: Tomasz Wozowicz <zirconiumnzinc@gmail.com>
Date: Mon, 2 May 2011 11:53:25 +0200
Message-id: <[🔎] BANLkTimuJnmJh_WHge_kspssGkGnmYpPtA@mail.gmail.com>

I'm neither a coder, anyway the source seems pretty clear so I think
it's worth reading if you care enough.

In apt-pkg/acquire-item.cc:1683 you can find the following lines:

   if (ForceHash.empty() == false)
   {
     if(stringcasecmp(ForceHash, "sha256") == 0)
       ExpectedHash = HashString("SHA256", Parse.SHA256Hash());
     else if (stringcasecmp(ForceHash, "sha1") == 0)
       ExpectedHash = HashString("SHA1", Parse.SHA1Hash());
     else
       ExpectedHash = HashString("MD5Sum", Parse.MD5Hash());
   }
   else
   {
     string Hash;
     if ((Hash = Parse.SHA256Hash()).empty() == false)
       ExpectedHash = HashString("SHA256", Hash);
     else if ((Hash = Parse.SHA1Hash()).empty() == false)
       ExpectedHash = HashString("SHA1", Hash);
     else
       ExpectedHash = HashString("MD5Sum", Parse.MD5Hash());
   }

that - apart from bugs or further manipulations of the involved variables (to
be honest I haven't investigated further) - should answer your questions.

Ciao,
Gian Piero.

--------------------------------------------------------

If I understand correctly that code means that the default  behavior
of APT is  "fallback to weaker hash algo", but if the ForceHash is set
it will expect hash made with specific algo, but this piece of code
doesnt say what will happen when there is no expected hash. I suppose
that the answer is in a piece of code containing "ExpectedHash"....

This is C language right?   In my life I only written some primitive
bash scripts....


Helpermr gave me a good idea - I will try to find a package that lacks
SHA256 or SHA1 in Packages/Packages.gz/Packages.bz2, then I will set
ForceHash to that algo, and try to install that package. I wonder why
I didnt try this before posting....However, from my own expierence I
know that empirical testing of software can sometimes give misleading
results.  Oh and it could be hard to find package lacking SHA256 or
SHA1 checksum, especially in the official repos. Google chrome might
be a good candidate, however i have problems with manual downloading
of Packages/Packages.gz/Packages,bz2 from their repo. Maybe I'll
figure that later.


Thanks for help guys.

Reply to:

Prev by Date: Re: Hash algorithms used by APT to verify authenticity of installed files.
Next by Date: Zope2 packaging
Previous by thread: Re: Hash algorithms used by APT to verify authenticity of installed files.
Next by thread: Serwis - 5392: [ONTP SP] [SECURITY] [DSA 2229-1] spip security update
Index(es):
- Date
- Thread