On 01/12/14 at 09:58am, Taylor Hornby wrote: > On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote: > > On 12 January 2014 14:09, Taylor Hornby <havoc@xxxxxxxxx> wrote: > >> Are there other packages still being verified with MD5? Can we fix them > >> too? I'll gladly donate my time if it's not something that can be automated. > > > > Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is > > 61%, or more than half. > > > > Wow, that's quite a lot. > > Do I understand correctly that the hashes are relied on for security? In > other words, is it the package (containing the PKGBUILD) that's signed, > and once it's verified, it's the PKGBUILD's responsibility to check the > integrity of the files it needs? > > If so, this should be fixed as soon as possible. How feasible would it > be? Could it be as simple as making a script that: > > 1. Finds the 'source' and 'md5sums' lines. > 2. Downloads the packages and checks the md5sums. > 3. Computes the SHA256sums, and adds them to the file. > > If there's anything I can do to help, let me know. > > -- > Taylor Hornby No, you don't rely on hashes for security, hashes are for integrity checks. Signatures are for the verification of a file or message, since anyone can replace the hash on the server and upload a new tarball. Signatures can only be created by the developers private key, it hashes a file or messages, then encrypts this hash with his private key. Then the developer puts the signature and tarball on a server. Everyone who has somehow obtained the developers public key, can verify that the tarball hasn't been tampered with by creating a hash from the tarball and comparing it with the decrypted signature (original hash). If a hacker uploaded a malicious tarball, he would be able to create a new hash, but wouldn't be able to create a new valid signature. PS: the explanation of signing isn't exactly correct, since I didn't explain that there hash is actually not encrypted with the private key. A nice explanation of PGP can be found here: http://www.pgpi.org/doc/pgpintro/ PS2: You may raise more concerns about the truecrypts code. http://istruecryptauditedyet.com/ -- Jelle van der Waa
Attachment:
signature.asc
Description: Digital signature
