Re: xorriso and the "-md5 on" option

To: debian-user@lists.debian.org
Subject: Re: xorriso and the "-md5 on" option
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Sat, 21 Dec 2019 23:21:35 +0100
Message-id: <[🔎] 7928693875155260507@scdbackup.webframe.org>
In-reply-to: <[🔎] 21122019202650.f242c0b52062@desktop.copernicus.org.uk>
References: <[🔎] 21122019202650.f242c0b52062@desktop.copernicus.org.uk>

Hi,

> I am extracting files from a Debian ISO as follows:
> xorriso -osirrox on -md5 on -indev debian-10.2.0-i386-DVD-10.iso -extract pool/main test/
> Will the files in test/ have the same md5sum as the ones in the ISO?

The first problem with this wish is that Debian ISOs are not created with MD5
checksums on libisofs level. So xorriso cannot check the ISO and its data file
contents for alterations.

The overall integrity of an ISO can be verified by its lines in the various
*SUMS files which accompany the ISO images in their download directories.
The integrity of *SUMS can be verified by the *SUMS.sign files.
For an example see
https://wiki.debian.org/JigdoOnLive#Verify_the_Debian_Live_download

If debian-10.2.0-i386-DVD-10.iso passes this verification and your disk
hardware is healthy, then you can trust on getting extracted undamaged files.

Nevertheless, since you are downloading a pool of .deb files, you may verify
them by Debian's means after extraction.
Others here will surely have proposals how to verify a whole pool tree.

> What will the output show if there is a problem with extraction?

If it went bad on a DVD then you will probably see messages about SCSI
read errors.
If you read from an image file with damaged data file content but with
plausible meta data, then you might see no complaint at all.

------------------------------------------------------------------------

The second problem is that xorriso verifies its MD5 checksums only while
the files are still in the ISO image. A verification after extraction is not
yet possible. But it seems to be a useful feature.

So for now you would verify the files in the ISO by e.g.

xorriso -md5 on -indev "$the_iso" \
-check_md5_r sorry / -- \
| tee /tmp/report_of_mismatched_files

You may list checksums and file paths in the ISO by

xorriso -md5 on -indev "$the_iso" -find / -exec get_md5 -- >/tmp/md5sums

I will consider how i can implement a MD5 check of the extracted data files.

But convincing debian-cd and live-wrapper to use xorrisofs option --md5
and xorriso command -md5 "on" will be somebody else's job.

Debian is on a little crusade against MD5 because it is meanwhile considered
unsuitable for security purposes. As transport and storage checksum it is
still fully sufficient, but against malicious intent it is too weak.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: xorriso and the "-md5 on" option
  - From: Brian <ad44@cityscape.co.uk>

References:
- xorriso and the "-md5 on" option
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: xorriso and the "-md5 on" option
Next by Date: Re: xorriso and the "-md5 on" option
Previous by thread: Re: xorriso and the "-md5 on" option [SOLVED]
Next by thread: Re: xorriso and the "-md5 on" option
Index(es):
- Date
- Thread