Re: you iso's may have been hacked

To: debian-user@lists.debian.org
Subject: Re: you iso's may have been hacked
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Wed, 10 Aug 2016 08:25:16 +0200
Message-id: <[🔎] 13621588243952775792@scdbackup.webframe.org>
In-reply-to: <[🔎] 57AA9C94.4040005@optonline.net>
References: <[🔎] 57AA9C94.4040005@optonline.net>

Hi,

Doug wrote:

> If the md5 sum doesn't agree with what's posted, it most likely means a
> glitch in the data transmission. Download it again.

Good advise.

One has to be aware that MD5 is not considered to be safe against malicious
manipulations but only for transport safety. If one has to fear attacks,
then file SHA512SUMS.sign and program gpg --verify should be used to verify
file SHA512SUMS. Program sha512sum should then be used to obtain the SHA512
of the ISO which hopefully matches the one that is listed in SHA512SUMS.


> You can only check the md5 sum on the download. Once you
> burn it to a CD or DVD, there's no telling what the md5 sum will be.

There is one shown in
  https://www.debian.org/CD/faq/#verify

  The "isosize" program can be used to find out the appropriate amount
  of bytes to be read from the optical media. It shows the "sector count"
  and the "sector size" from the optical media, where "<device>" is the
  device file of the loaded optical media.
    $ /sbin/isosize -x <device>
    sector count: 25600, sector size: 2048
  Then "sector count" and "sector size" are passed to "dd" to read the
  appropriate amount of bytes from the optical media and the byte stream
  is then piped to the appropriate checksum tool (md5sum, sha1sum, etc).
    $ dd if=<device> count=<sector count> bs=<sector size> | sha1sum
  The computed checksum is to be compared against the corresponding
  checksum found in the appropriate checksum file (MD5SUMS, SHA1SUMS, etc).

  Alternatively, there is a useful helper script called check_debian_iso
    https://people.debian.org/~danchev/debian-iso/check_debian_iso
  which can verify ISO image files and optical media, reading the
  appropriate amount of bytes from media then computing the checksum and
  comparing it against the checksum file.

  ISO image file verification.
  This will compare the checksum of the debian-6.0.3-amd64-netinst.iso
  image file against the corresponding checksum found in the MD5SUMS
  checksum file.
    $ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-netinst.iso

  Optical media verification.
  This will compare the checksum of the media accessible as /dev/dvd
  against the checksum of debian-6.0.3-amd64-DVD-1.iso as found in the
  MD5SUMS checksum file. Note that the ISO image file itself is not
  needed, its name is merely used to locate the corresponding checksum
  in the checksum file.
    $ ./check_debian_iso MD5SUMS debian-6.0.3-amd64-DVD-1.iso /dev/dvd


The proposals work for USB stick /dev/sdb too.
(It is about time this all gets updated to advise the use of SHA512.)


Have a nice day :)

Thomas

Reply to:

References:
- Re: you iso's may have been hacked
  - From: Doug <dmcgarrett@optonline.net>

Prev by Date: My iso may have been hacked, too!
Next by Date: Re: you iso's may have been hacked
Previous by thread: Re: you iso's may have been hacked
Next by thread: Re: you iso's may have been hacked
Index(es):
- Date
- Thread