Re: xorriso and the "-md5 on" option

To: debian-user@lists.debian.org
Subject: Re: xorriso and the "-md5 on" option
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Sun, 22 Dec 2019 09:24:19 +0100
Message-id: <[🔎] 165226937648791013939@scdbackup.webframe.org>
In-reply-to: <[🔎] 20191221165220.592b61e9@hawk.localdomain>
References: <[🔎] 20191221165220.592b61e9@hawk.localdomain>

Hi,

i wrote:
> > Others here will surely have proposals how to verify a whole pool tree.

Brian wrote:
> I can get the MD5sum for each file in the ISO and for each extracted
> file. I suppose it is a matter of meaningfully comaparing both lists.

If you only want to know whether the extraction worked flawlessly, you
could simply compare the files in the mounted ISO and the extracted pool
tree. Command "diff -q -r" should be able to do this.

But actually i meant the Debian package verification mechanisms. Like
what is described in
  https://debian-handbook.info/browse/stable/sect.package-authentication.html

xorriso wrote:
> Not a single file with MD5 checksum was found. (There is no MD5 checksum array loaded.)

As said in my previous mail, the production of the ISO by debian-cd or
live-wrapper does not tell xorriso to compute and store MD5 sums. So there
are none to read when the ISO metadata get loaded, and none present when you
execute the -check_md5_r command.

> If it is of consquence, the ISO was made by jigdo.

Charles Curley wrote:
> Doesn't jigdo verify each file as jigdo pulls it in?

It does implicitely by the MD5s in the .jigdo file, which are used to find the
package names by the MD5s which are placeholders in the .template file.

  $ file debian-8.8.0-amd64-netinst.jigdo
  debian-8.8.0-amd64-netinst.jigdo: gzip compressed data, max compression, from Unix
  $ gunzip <debian-8.8.0-amd64-netinst.jigdo
  ...
  [Parts]
  d9uPSqhxXD7UHdoHFGcsNQ=Debian:pool/main/m/mtdev/libmtdev1-udeb_1.1.5-1_amd64.udeb
  ... lots of more lines ...

The encoding is base64, not hex. One may convert by

  $ echo 'd9uPSqhxXD7UHdoHFGcsNQ' | base64 -d | od -A n -v -t x1 | sed -e 's/ //g'
  base64: invalid input
  77db8f4aa8715c3ed41dda0714672c35

Despite the complaint from base64, the result is correct:

  $ wget https://debian.ues.edu.sv/debian/pool/main/m/mtdev/libmtdev1-udeb_1.1.5-1_amd64.udeb
  ...
  $ md5sum libmtdev1-udeb_1.1.5-1_amd64.udeb
  77db8f4aa8715c3ed41dda0714672c35  libmtdev1-udeb_1.1.5-1_amd64.udeb

I am not sure whether the Jigdo download tools check the packages by the
means of Debian package verification.
As said, MD5 is good enough for detecting unintended mishaps, but not for
detecting intentional and skillfully camouflaged alteration.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: xorriso and the "-md5 on" option [SOLVED]
  - From: Brian <ad44@cityscape.co.uk>

References:
- Re: xorriso and the "-md5 on" option
  - From: Charles Curley <charlescurley@charlescurley.com>

Prev by Date: Re: Digtal microscope
Next by Date: Re: xorriso and the "-md5 on" option [SOLVED]
Previous by thread: Re: xorriso and the "-md5 on" option
Next by thread: Re: xorriso and the "-md5 on" option [SOLVED]
Index(es):
- Date
- Thread