Re: you iso's may have been hacked
Hi,
Doug wrote:
> If the md5 sum doesn't agree with what's posted, it most likely means a
> glitch in the data transmission. Download it again.
Good advise.
One has to be aware that MD5 is not considered to be safe against malicious
manipulations but only for transport safety. If one has to fear attacks,
then file SHA512SUMS.sign and program gpg --verify should be used to verify
file SHA512SUMS. Program sha512sum should then be used to obtain the SHA512
of the ISO which hopefully matches the one that is listed in SHA512SUMS.
> You can only check the md5 sum on the download. Once you
> burn it to a CD or DVD, there's no telling what the md5 sum will be.
There is one shown in
https://www.debian.org/CD/faq/#verify
The "isosize" program can be used to find out the appropriate amount
of bytes to be read from the optical media. It shows the "sector count"
and the "sector size" from the optical media, where "<device>" is the
device file of the loaded optical media.
$ /sbin/isosize -x <device>
sector count: 25600, sector size: 2048
Then "sector count" and "sector size" are passed to "dd" to read the
appropriate amount of bytes from the optical media and the byte stream
is then piped to the appropriate checksum tool (md5sum, sha1sum, etc).
$ dd if=<device> count=<sector count> bs=<sector size> | sha1sum
The computed checksum is to be compared against the corresponding
checksum found in the appropriate checksum file (MD5SUMS, SHA1SUMS, etc).
Alternatively, there is a useful helper script called check_debian_iso
https://people.debian.org/~danchev/debian-iso/check_debian_iso
which can verify ISO image files and optical media, reading the
appropriate amount of bytes from media then computing the checksum and
comparing it against the checksum file.
ISO image file verification.
This will compare the checksum of the debian-6.0.3-amd64-netinst.iso
image file against the corresponding checksum found in the MD5SUMS
checksum file.
$ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-netinst.iso
Optical media verification.
This will compare the checksum of the media accessible as /dev/dvd
against the checksum of debian-6.0.3-amd64-DVD-1.iso as found in the
MD5SUMS checksum file. Note that the ISO image file itself is not
needed, its name is merely used to locate the corresponding checksum
in the checksum file.
$ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-DVD-1.iso /dev/dvd
The proposals work for USB stick /dev/sdb too.
(It is about time this all gets updated to advise the use of SHA512.)
Have a nice day :)
Thomas
Reply to: