cancel
Showing results for 
Search instead for 
Did you mean: 

MD5 checksums to ensure delivered package integrity?

Scholar

MD5 checksums to ensure delivered package integrity?

Hello,

 

I hope for some assistance .I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course. Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?

Relatedly, how are received packages verified at the Gentoo side before redistribution to end-user installations?

Next, what vetting is required regarding individuals involved in the chain of custody for packages which are distributed ? .I checked many firewall configuration explainer videos but did not find any solution to my problem.Please help me out.

 

Any help will be appreciated.
Thank you.

2 REPLIES
Superuser

Re: MD5 checksums to ensure delivered package integrity?

Hello,

 

In case of Windows OS based F-Secure product releases, the .EXE or .MSI files are internally signed with a crypto certificate. This means a modified installer package (e.g. damaged download or unauthorized hack) simply will not run.

 

In case of Linux OS based F-Secure product releases, the vendor provides a list of MD5 hash values for the .DEB and .RPM packages, which can be manually compared.

For example "F-Secure Policy Manager Server version 13.10 build 84021 for Debian Package Manager(64-bit only)" is "ab52c43aa49b7d78ce9db18700ebaeec".

 

Please see here for download packages and checksums:

https://www.f-secure.com/en/web/business_global/downloads

 

(On the other hand the use of MD5 hash algorithm is considered obsolete nowadays, because it can be counterfeited relatively easily. Most vendors have moved to SHA-1 or even SHA-256 and I think F-Secure should also follow suit.)

 

Best Regards: Tamas Feher, Hungary.

Superuser

Re: MD5 checksums to ensure delivered package integrity?

The MD5 is not a "proof of origin" but a quick checksum to see if the downloaded was done without errors. If an attacker would be able to replace the file he would also be able to modify the file containing the MD5.

 

But even if he would try to replace the file with a rugue one, that has the same MD5 his effort to find a match would still be "tough", SHA256 would make it hard, but then the above is still true.

 

So for the purpose the MD5 is fine - having both values available would at least stop this question to become a FAQ.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de